HospitalInspections.org

Based on observation, interview and policy review, the facility failed to:
- Protect 5,511 patients protected health information (PHI-any information in a medical or electronic record that can be used to identify an individual, for example, demographic information, and information used when providing health care to include diagnoses, care and treatment of a patient) when staff posted patients' PHI on an unauthorized website (a location connected to the Internet that maintains one or more pages on the World Wide Web) and blog (a regularly updated website or web page, typically one run by an individual that is written in an informal or conversational style) for approximately seven years.
- Protect patients' PHI in the Oncology Clinic when staff left 56 schedules and 10 sheets of patients' labels out on a counter behind the nurse's station unattended and unsupervised where unauthorized access could occur.
- Protect approximately 400 patients' medical records with PHI in a room with the door propped open and without a lock located in the Oncology Clinic.
- Limit staffs' access into the Medical Records Department by allowing all 6,902 employees' badge access into the department where approximately 7,000 to 10,000 patients' medical records and PHI were stored.
These failed practices by the facility placed all patients' PHI at risk for unauthorized access. The facility census was 221.

The cumulative effects of these systemic practices resulted in the facility's inability to ensure the safety and confidentiality of all patients medical records/PHI and resulted in the facility being out of compliance with 42 CFR 482.24 Conditions of Participation: Medical Record Services.

Refer to the 2567 for additional information.

Based on observation, interview and policy review, the facility failed to:
- Protect 5,511 patients protected health information (PHI-any information in a medical or electronic record that can be used to identify an individual, for example, demographic information, and information used when providing health care to include diagnoses, care and treatment of a patient) when staff posted patients' PHI on an unauthorized website (a location connected to the Internet that maintains one or more pages on the World Wide Web) and blog (a regularly updated website or web page, typically one run by an individual that is written in an informal or conversational style) for approximately seven years.
- Protect patients' PHI in the Oncology Clinic when staff left 56 schedules and 10 sheets of patients' labels out on a counter behind the nurse's station unattended and unsupervised where unauthorized access could occur.
- Protect approximately 400 patients' medical records with PHI in a room with the door propped open and without a lock located in the Oncology Clinic.
- Limit staffs' access into the Medical Records Department by allowing all 6,902 employees' badge access into the department where approximately 7,000 to 10,000 patients' medical records and PHI were stored.
These failed practices by the facility placed all patients' PHI at risk for unauthorized access. The facility census was 221.

Findings included:

1. Record review of the facility's policy titled, "Access to Data and Information," revised 05/14, showed the following directives for staff:
- Patients' protected health information is the property of the Hospital. Access to such data or information is given only on a need to know basis and only after consideration of applicable law, the internal needs of the facility and the job requirements or authority of the individual seeking such access. Unauthorized access, use or disclosures of any such data or information will result in disciplinary action, up to and including termination of employment or affiliation with the Hospital.
- Access to patient medical records by Hospital staff is limited to the scope of their job duties. Hospital Staff is allowed only to access patient information when there is a need to know and then may only access the minimum necessary information.
- Physicians, nurses, allied health professionals, residents, fellows, medical nursing, allied health students will be given full access to the complete patient medical record. Access is granted for the purpose of providing care, treatment, consultation, coverage and referrals and facilitating performance of approved Institutional Review Board (IRB) research.

2. During an interview on 06/21/17 at 9:35 AM, Staff JJ, Information Compliance Officer, stated that:
- A breech in patients' medical records and PHI was discovered on 03/23/17, when an Information Security Consultant (ISC) found a website not hosted by the hospital's system but had been created and managed by a surgeon that was employed by the facility.
- The website did not display patients' information; however; when the ISC went into the web browser (software application for retrieving, presenting and traversing information resources on the World Wide Web), he was able to pull up information about patients that had been seen at the facility.
- The following information was included on the web browser:
-Name;
-Encounter number;
-ICD (International Classification of Disease - diagnosis and procedure) codes;
-Medical Record Number;
-Gender;
-Date of Birth;
-Age;
-Height and Weight;
-Body Mass Index;
-Dates of service: Date of admission, discharge and procedures; and
-Brief notes from the surgeon.
- The website served as a blog, to store information and personal files of the surgeon.
- The facility does not have any record that the surgeon requested permission from the facility to create either the website or the blog.
- When facility staff was informed of the unauthorized website and blog the surgeon granted permission to take down the website.
- The facility had a 3rd party Forensic Team to analyze the website and blog to see who had logged onto the site and if any patient information had been accessed. The forensic analysis was not sufficient with enough detail to determine if patients' information had been accessed by unauthorized people.
- The facility staff assessed the data files from the forensic team to match the facility's own patient records to see if those patients listed had received care, treatment and services from the facility. Through the analysis conducted by the facility it was discovered that 5,511 patients were affected by the breech. The facility's analysis was completed on 05/05/17.
- There was a total of four staff that knew about the website/blog, the surgeon who created the website/blog, two advanced nurse practitioners and one administrative assistant.
- The surgeon created the website/blog approximately seven years ago without the facility's permission or knowledge. The information on the website was manually put into the system, so the facility was not able to determine if he used a facility computer or one of his own. The information was obtained from patients that he had provided care, services and treatments for over the past seven years.

3. Observation and concurrent interview on 06/20/17 at 9:50 AM in the Hematology/Oncology Clinic showed 56 patient schedules and 10 sheets of patient labels were on a counter behind the nurse's station and were left unattended and unsupervised by staff. This provided unauthorized access to either the patient schedules or labels. The schedule sheets contained the following patient PHI:
-Patient Name;
-Medical Record Number;
-Patient Phone Number;
-Reason for Visit;
-Primary Insurance; and
-Secondary Insurance.
Staff U, RN, Education Coordinator Hematology/Oncology, Charge Nurse, stated that the schedules with patients' PHI are placed in shred bins at the end of the clinic. Staff U stated that staff are always at the nurse's station when patients' PHI are left out on the counter. Staff U could not explain why no staff was at the nurse's station where the schedules and labels were left unattended and unsupervised by staff.

4. Observation on 06/20/17 at 10:11 AM in the Oncology Clinic showed staff had left the following patients' PHI unattended and unsupervised at the nurse's station:
-Four pages of physician orders;
-One consent form;
-One physician order set;
-Three pages of scheduling; and
-10 patient labels.

5. Observation on 06/20/17 at 10:15 AM showed a room located at the end of the nurse's station on the Oncology Clinic with a door propped open. The room contained approximately 400 patients' medical records and PHI. The door to the room did not have a lock on it, so the room could not be secured even when the door was shut. The patients' medical records included the following PHI:
-Name;
-Medical Record Number;
-Date of Birth;
-Medications; and
-Height and Weight.

During an interview on 06/20/17 at 10:15 AM, Staff Z, RN, Oncology Clinic, stated that the desk at the nurse's station did not always have staff sitting there to protect patients' PHI that was on the schedules. Staff Z stated the door where patients' medical records were kept did not have a lock on it and the door was kept open during clinic hours, so the physician could easily access a patient's record when needed. Staff Z stated that she received education about PHI during orientation and that staff are instructed to turn over papers that contained PHI so it is not visible to unauthorized people.

6. Observation on 06/20/17 at 12:15 PM of the Medical Records Department showed an area where requested copies of patients' medical records were kept on a metal shelving unit. The metal shelving unit did not have any way to secure the medical records that contained PHI and were open and visible to anyone that came into that area of the department. 32 patients' requested medical records were in light tan/yellow envelopes that were sealed and on the front of the envelopes contained a front sheet from each patient. The front sheet contained the following patients' PHI: Name, medical record number, date of birth, and who had requested the medical chart.

During an interview on 06/20/17 at 12:25 PM, Staff X, Senior Manager of HIM (Health Information Management also known as Medical Records Department) Operations, stated that:
- Housekeeping comes into the Medical Records Department after hours, around 6:00 PM, to clean and HIM staff are not present in the department.
- Requested patients' medical records are left out on the shelving unit unattended and unsupervised by HIM staff and could be accessible to whomever came into the requested chart area.
- Patients' paper medical records and research records are stored in the file room and contained approximately 7,000 to 10,000 records.
- Staff with badge access into the department have access to all patients' medical records including paper records and research records.
- Staff are responsible in other areas of the facility to keep patients' PHI from unauthorized access.
- Staff should monitor patients' PHI left at nurse's stations and keep doors/cabinets shut and locked when patients' medical records are stored on patient care units.
- HIM staff can track any document that is printed or if there are any changes made to a patient's medical record.
- The facility runs quarterly audit reports and the audits flag any patient's medical record that had been accessed by someone that did not have authorization to access the record.
- Staff that access a patient's medical records that do not have authorization are reported to employee relations and the manager where they work and then an investigation would take place to determine the breech.

7. Record review of an undated and unsigned hand written statement showed that badge access to HIM is not restricted, it is a level 2 per security officers, so all employees' badges allowed access.

During an interview on 06/21/17 at 9:30 AM, Staff G, Registered Nurse (RN), Director of Accreditation and Regulatory Readiness stated that the facility employed 6,902 people and all had badge access to HIM. Staff G stated that she asked security what level 2 badge access meant and they were unable to tell her the meaning.

During an interview on 06/20/17 at 3:53 PM, Staff II, Assistant Director of Security stated that all employees have badge access to HIM that included both professional and non-professional staff.