HospitalInspections.org

Based on observation, interview and document review, the Governing Body did not ensure that the hospital's Quality Assessment Performance Improvement (QAPI) Program had performed an annual evaluation of a contracted cancer registry service and did not identify issues regarding the contracted cancer registry staff's lack of education and compliance with hospital policy on securing confidential patient information for 3 out of 6 registry staff. In addition, the Governing Body did not ensure the QAPI program evaluated the 791 non-clinical contracts to determine whether these contracts have access to protected health information and resulted in a potential risk for patient confidentiality. Furthermore, the Governing Body was unable to identify areas of improvement which resulted in the unsecured storage of confidential patient information by the contracted registry staff.
As a result patient confidentiality was not ensured.
Findings:

1. The Governing Body did not ensure the confidentiality of patient records. (See A-0441)

2. The Governing Body did not ensure that the QAPI program was comprehensive and evaluated a contracted service. (See A-083)

3. The Governing Body did not ensure that the QAPI program evaluated 791 non-clinical contracts to determine whether these contracts had access to protected health information and resulted in a potential risk to patient confidentiality. (See A-083)

4. A review of the hospital bylaws was conducted on 9/29/15 at 10 A.M. The document indicated that the Governing Body is required "to make and enforce all rules and regulations necessary for the administration, government, protection, and maintenance of hospitals and other facilities under District jurisdiction." (See A-083)

The cumulative effect of these systemic problems resulted in the facility's failure to deliver care in compliance with the Condition of Participation for Governing Body and failure to provide a safe and secure environment for patients.

Based on observation, interview and document review, the Governing Body did not ensure that the hospital's Quality Assessment Performance Improvement (QAPI) Program had performed an annual evaluation of a contracted cancer registry service and did not identify issues regarding the contracted cancer registry staff's lack of education and compliance with hospital policy on securing confidential patient information for 3 out of 6 registry staff. In addition, the Governing Body did not ensure that the QAPI program evaluated the 791 non-clinical contracts to determine whether these contracts have access to protected health information and resulted in a potential risk for patient confidentiality. Furthermore, the Governing Body was unable to identify areas of improvement which resulted in the unsecured storage of confidential patient information by the contracted registry staff.

As a result patient confidentiality was not ensured.

Findings:

A concurrent tour and interview of the hospital was conducted on 9/29/15 at 9 A.M. with the Director of Regulatory Compliance and Quality (DRCQ). The DRCQ stated that on 8/15/15 an unauthorized individual entered the hospital and began roaming around trying to open doors and stealing items from areas he accessed. The individual entered a closed unit on the 3rd floor and began opening the unused patient room doors looking to take what he could find.

During the concurrent tour and interview with the DRCQ, an observation on 9/29/15 at 9:45 A.M. of the closed 3rd floor unit revealed a sign stating "unit closed authorized personnel only." The DRCQ stated that this sign was posted when the unauthorized individual entered the closed unit. She stated a cancer registry service was storing boxes with documents in one of the unlocked rooms, and the unauthorized individual took some of the papers from a box in that room. She stated the forms were cancer registry logs with patient names and some diagnoses on the forms. She acknowledged that this was not appropriate to store confidential patient information in an unsecured area.

The DRCQ stated that the the individual was apprehended and detained by hospital Security and the documents were then taken from him. The DRCQ stated that on a subsequent visit on 8/24/15, the Department found admit/transfer/discharge logs containing confidential patient information stored unsecured on the closed 3rd floor nurses station.

A review of the hospital bylaws dated 7/15 was conducted on 9/29/15. The document indicated that the Governing Body is required "to make and enforce all rules and regulations necessary for the administration, government, protection, and maintenance of hospitals and other facilities under District jurisdiction."

On 9/29/15, a review of the documents taken by the unauthorized individual was conducted. The cancer data reports, dated between 2/1/10 and 3/31/10, contained a list of patient names with medical record numbers, and some with diagnoses and biopsy pathology (a microscopic analysis of tissue) results.

A review of the admit/transfer/discharge logs that were found 8/24/15 in the closed 3rd floor nursing station was conducted on 9/29/15. The logs, dated between 12/12 and 1/13, contained confidential patient information on 823 patients, including patient name, admit location and discharge disposition.

The cancer registry service contract dated 10/1/10 was reviewed on 9/29/15 at 11 A.M. The contract indicated that it was renewed for 4 years dated on 1/31/14. There was no documented evidence that the contract was evaluated by QAPI or the Governing Body.

During an interview with the DRCQ on 9/30/15 at 9:00 A.M., the DRCQ stated that clinical contracts are to be reviewed annually for appropriateness of services provided and adherence to hospital policies. She acknowledged the cancer registry service contract had not been evaluated by the QAPI program or the Governing Body. She stated only 3 of the 6 employees of the cancer registry staff had documented evidence of training on protected patient information. She acknowledged that the lack of evaluation of the contracted service and staff led to confidential patient information not being secured as per hospital policy and resulted in unauthorized access to the confidential patient information.

The hospital's policy entitled "Confidentiality and Disclosure of Registry Information" was reviewed on 9/30/15 at 9:30 A.M. The policy indicated that "All registry staff is required to meet [the facility] legal and ethical responsibilities to protect the confidentiality of patient health information." The policy further indicates, "All Registry Staff must complete the following steps: Complete Privacy Training Test, Review and sign off on the Confidentiality Agreement..."

A review of the 6 cancer registry staff (CRS) personnel files indicated that only 3 out of 6 had signed patient confidentiality agreements (CRS 1, 2, 4). The CRS 3, who is the owner of the cancer registry service and was responsible for leaving the confidential patient information in the unsecured room, did not have documented evidence of a signed confidentiality agreement in her personnel file.

An interview with a representative of the Governing Body (GB 1) was conducted on 9/30/15 at 8 A.M. The GB 1 stated that the contracts are submitted for renewal by the Governing Body and that it is the expectation that those contracts would first be evaluated by the quality department for appropriateness of services, compliance with regulatory and hospital policies and financial appropriateness. The GB 1 acknowledged that the cancer registry service contract had not had an evaluation by the quality department and he stated that this was an oversight. GB 1 acknowledged that the evaluation would have identified issues regarding the registry staff's lack of training and compliance with patient confidentiality.

An interview with the DRCQ was conducted on 9/30/15 at 9 A.M. According to the DRCQ, there were 840 contracted services. Of those 840 contracts, only 49, which the facility designated as clinical contracts, required an annual evaluation prior to approval through QAPI and Governing Body. The other 791 contracts the facility deemed as non-clinical, which meant no access to protected health information (PHI) and for which an annual evaluation was not performed prior to approval by the QAPI and Governing Body. The DRCQ stated the cancer registry service contract was considered non-clinical, when in fact it was a clinical contract which had access to PHI. The DRCQ stated of the 791 unevaluated contracts that remained, the facility was unable to determine which had access to PHI.

The DRCQ stated the facility was in preparation for a survey by another Regulatory agency during October 2015. She further stated the facility would not attempt to determine which contracts had access to PHI until after that survey, in January 2016.

Based on observation, interview and document review, the Governing Body did not ensure that the hospital's Quality Assessment Performance Improvement (QAPI) Program had performed an annual evaluation of a contracted cancer registry service and did not identify issues regarding the contracted cancer registry staff's lack of education and compliance with hospital policy on securing confidential patient information for 3 out of 6 registry staff. In addition, the Governing Body did not ensure that the QAPI program evaluated the 791 non clinical contracts to determine whether these contracts have access to protected health information and resulted in a potential risk for patient confidentiality. Furthermore, the Governing Body was unable to identify areas of improvement which resulted in the unsecured storage of confidential patient information by the contracted registry staff.

As a result patient confidentiality was not ensured.

Findings:

1. The QAPI program failed to ensure confidential patient information was stored securely and not accessible by unauthorized persons. (See A-0441)

2. The QAPI program failed to evaluate a contracted service and did not identify issues with the contracted staff not having documented training in protecting and storage of confidential patient information. (See A-0308)

3. The QAPI program failed to evaluate all contracted services to be reviewed and approved by the the Governing Body. (See A-0083)

4. The QAPI program failed to evaluate 791 non-clinical contracts to ensure that these contracts did not have access to protected patient information. (See A-0083)

The cumulative effect of these systemic problems resulted in the facility's failure to deliver care in compliance with the Condition of Participation for QAPI and failure to provide care to their patients in a safe environment.

Based on observation, interview and document review, the hospital's Quality Assurance and Performance Improvement (QAPI) program failed to ensure that all confidential patient information was stored securely and not accessible to unauthorized persons. The QAPI Program failed to ensure the contract for a cancer registry service was evaluated annually and the cancer registry staff had documented training on patient confidentiality and followed and enforced the hospital's policy regarding securing confidential patient information for 3 out of 6 registry staff.

As a result confidential patient information was stored in an unsecured area.

Findings:

A concurrent tour and interview of the hospital was conducted on 9/29/15 at 9 A.M. with the Director of Regulatory Compliance and Quality (DRCQ). The DRCQ stated that on 8/15/15 an unauthorized individual entered the hospital and began roaming around trying to open doors and stealing items from areas he accessed. The individual entered a closed unit on the 3rd floor and began opening the unused patient room doors looking to take what he could find.

During the concurrent tour and interview with the DRCQ, an observation on 9/29/15 at 9:45 A.M. of the closed 3rd floor unit revealed a sign stating "unit closed authorized personnel only." The DRCQ stated that this sign was posted when the unauthorized individual entered the closed unit. She stated that a cancer registry service was storing boxes with documents in one of the unlocked rooms, and the individual took some of the papers from in that room. She stated that the forms were cancer registry logs with patient names and some diagnoses on the forms. She acknowledged that this was not appropriate to store confidential patient information in an unsecured area.

According to the DRCQ, the individual was apprehended and detained by hospital Security so the documents did not leave the facility. The DRCQ stated that on a subsequent visit on 8/24/15, the Department found admit/transfer/discharge logs containing confidential patient information unsecured on the closed 3rd floor nurses station.

On 9/29/15, a review of the documents taken by the unauthorized individual was conducted. The cancer data reports, dated between 2/1/10 and 3/31/10, contained a list of patient names with medical record numbers, and some with diagnoses and biopsy pathology (a microscopic analysis of tissue) results.

A review of the admit/transfer/discharge logs that were found 8/24/15 in the closed 3rd floor nurses station was conducted on 9/29/15. The logs, dated between 12/12 and 1/13, contained confidential patient information on 823 patients, including patient name, admit location and discharge disposition.

The cancer registry service contract dated 10/1/10 was reviewed on 9/29/15 at 11:00 A.M. the contract indicated that it was renewed for 4 years dated on 1/31/14. There was no documented evidence that the contract was evaluated by QAPI or the Governing Body.
A review of the 6 cancer registry staff personnel (CRS) files indicated that only 3 out of 6 had signed patient confidentiality agreements (CRS 1, 2 and 4). The CRS 3 who is the owner of the cancer registry service and was responsible for leaving the patient information in the unsecured room did not have documented evidence of a signed confidentiality agreement in her personnel file.

An interview was conducted with the DRCQ on 9/30/15 at 9:00 A.M. The DRCQ stated that contracts are to be reviewed annually for appropriateness of services provided and adherence to hospital policies. The DRCQ acknowledged that the cancer registry service contract had not been evaluated by the QAPI program or the Governing Body. The DRCQ stated that the only 3 of the 6 employees of the cancer registry staff had documented evidence of protected patient information training. The DRCQ acknowledged that the lack of training for the cancer registry staff in patient confidentiality was not identified prior to the contract being renewed. The DRCQ acknowledged that the lack of evaluation and review of the contracted cancer registry service prior to renewal was an oversight. The DRCQ stated that hospital did not have a written policy and procedure regarding the evaluation and review of hospital contracts.

In addition, the DRCQ stated there were 840 contracted services. Of those 840 contracts, only 49 had gone through QAPI and Governing Body for evaluation.

Based on observation, interview and record review, the facility failed to ensure cancer data reports containing confidential information on 66 patients and admit/transfer/discharge logs containing confidential patient information on 823 patients were stored securely and not accessible by unauthorized persons. As a result, the cancer data reports, dated 2/1/10 through 3/31/10, were taken by an unauthorized individual from an unsecured room on the closed 3rd floor unit. In addition, the admit/transfer/discharge logs, dated 12/12 through 1/13, were left unsecured on a chart rack in the closed 3rd floor nurses station.

Findings:

On 8/24/15 at 11 A.M., the Director of Regulatory Compliance & Quality (DRCQ) was interviewed regarding a self-reported incident involving an unauthorized individual wandering the hospital on 8/15/15. According to the DRCQ, around 6 P.M. on 8/15/15, an unauthorized individual attempted to enter the pharmacy through a locked door. The suspect was seen on surveillance camera wandering in and out of empty patient rooms on the closed 3rd floor unit. The suspect was apprehended by security and was found to have cancer data reports, an oxygen regulator, and an empty blue binder in his possession, taken from various rooms on the closed unit. The cancer data reports, which did not leave the facility, were documents that contained confidential information on 66 patients. The suspect was then taken into custody by police.

During a tour of the closed 3rd floor unit on 8/24/15 at 1:20 P.M., there were admit/transfer/discharge logs observed left unsecured on a chart rack. The logs contained confidential patient information on 823 patients, including patient name, admit location and discharge disposition.

When interviewed on 9/29/15 at 8:30 A.M., the DRCQ stated that a cancer registry staff (CRS 3), who works for a contracted cancer registry service, was the person responsible for the cancer data reports. Per the DRCQ, the contract for the cancer registry service has been in place since 2010. However, the contract has not had any yearly evaluations for quality of services and compliance with hospital policies, including privacy training of staff. The DRCQ stated that CRS 3 did not have documented evidence of a signed confidentiality agreement or privacy training in her personnel file.

During an interview on 9/30/15 at 2:50 P.M., CRS 3 stated that she had to move her office to a temporary location in an empty patient room on the closed 3rd floor unit. Per CRS 3, she packed her personal belongings and work documents in boxes which were stored in the unsecured 3rd floor patient room. CRS 3 stated she took full responsibility for not ensuring all confidential patient information was stored securely and not accessible to unauthorized persons.

According to the facility's policy, Confidentiality and Disclosure of Registry Information- Oncology Registry, last reviewed 8/14, "All Registry staff is required to meet [the facility] legal and ethical responsibilities to protect the confidentiality of patient health information." The policy further indicates, "All Registry staff must complete the following steps: Complete Privacy Training Test, Review and sign off on the Confidentiality Agreement..."

Based on interview and record review, the facility failed to ensure physician's verbal orders were dated and signed by the practitioner in a timely manner for 3 of 30 sampled patients (2, 3, 4).

Findings:

1. Patient 2 was admitted to the facility on 8/10/15, according to the facility's Patient Information record. On 10/1/15, at 10:15 A.M., the patient's clinical record was reviewed with Registered Nurse (RN) 1.

According to the General intraoperative Orders, a licensed nurse received verbal orders for medications from the practitioner on 8/10/15 at 8 A.M. The verbal orders had not been signed by the practitioner until fifteen days later on 8/25/15.

The Operations Manager of Medical Records, (OMMR) was interviewed on 10/1/15 at 10:25 A.M. The OMMR stated the orders were placed in the practitioner's box by 8/11/15, "He just signed them late."

2. Patient 3 was admitted to the facility on 9/26/15, according to the facility's Patient Information record. On 10/1/15, at 10:55 A.M., the patient's clinical record was reviewed with RN 1.

According to the Physician's Orders, dated 9/27/15 at 1:20 P.M. and 9/29/15 at 9 A.M., a licensed nurse received verbal orders for medications from the practitioner. RN 1 acknowledged the verbal orders had not been signed by the practitioner as of 10/1/15.

3. Patient 4 was admitted to the facility on 9/24/15, according to the facility Patient Information record. On 10/1/15 at 11:15 A.M., the patient's clinical record was reviewed with RN 1.

According to the General Intraoperative Orders, a licensed nurse received verbal orders for medications from the practitioner on 9/28/15 at 8 A.M. RN 1 acknowledged the verbal orders had not been dated by the practitioner as of 10/1/15.

According to the facility policy revised 1/13 and titled Physician/Provider Orders: "Orders must be signed within 48 hours for medication orders..."

Based on interview and record review, the facility failed to ensure a Conditions of Admissions form was signed for 4 of 30 sampled patients (1, 5, 7, 13).

Findings:

1. Patient 1 was admitted to the facility on 9/26/15, according to the Patient Information record. On 10/1/15, at 10:45 A.M., the patient's clinical record was reviewed with Registered Nurse (RN) 1.

According to the facility's Conditions Of Admission, dated 9/26/15, Patient 1 refused to sign the form. As of 10/1/15 at 10:45 A.M., there was no documentation the patient had signed a Conditions Of Admission form. In addition, there was no documentation of any additional attempts to have the patient sign the form.

2. Patient 5 was admitted to the facility on 8/9/15, according to the Patient Information record. On 10/1/15, at 10:10 A.M., the patient's clinical record was reviewed with RN 1.

According to RN 1, a Conditions Of Admission form, "was never done" for the patient's admission on 8/9/15.



28183

3. Patient 13 was admitted to the facility on 8/21/15 and discharged on 8/25/15, per the Patient Information record.

The clinical record was reviewed with the Nursing Quality Outcome Coordinator (NQOC) on 9/30/15. According to the patient's Conditions of Admission (COA) form, staff documented on the signature line "pt [patient] unable to sign per condition." There were no further documented attempts to obtain consent/signature on the COA from Patient 13 that could be located in the patient's clinical record.

The Manager of Access Management/Registration (MAM/R) was interviewed on 10/1/15 at 10:30 A.M. According to the MAM/R, if staff were unable to obtain a patient signature, they were to indicate that on the COA, and then check "No" next to "COA signed" in the electronic registration system. All "no" or "unable" answers appear on the daily report for staff to follow up. Per the MAM/R, Access Management staff were supposed to make daily attempts to obtain a signature on the COA form.

A review of Patient 13's electronic registration indicated staff checked "yes" next to COA signed. The MAM/R stated that Patient 13 did not end up on the daily report because staff inadvertently checked "yes" in the electronic registration system.



29707

4. Patient 7 was admitted to the facility on 8/4/15, per the Patient Information record. Patient 7 remained in the facility for 14 days and was discharged on 8/18/15, per the physician Discharge Summary.

Patient 7's clinical record was jointly reviewed with the Director of Regulatory Compliance and Quality (DRCQ) on 9/30/15 at 11:30 A.M.

On 8/4/15, a facility staff member documented on Patient 7's Conditions of Admission (COA) form the patient was unable to sign due to a medical condition.

There were no other documented attempts to obtain consent/signature on the COA from Patient 7 that could be located in the patient's clinical record.

The Manager of Access Management/Registration (MAM/R) was interviewed on 10/1/15 at 10:30 A.M. The MAM/R stated the Access Management staff were supposed to make daily attempts to obtain a signature on the COA form. In addition, the staff were supposed to document if unable to obtain a signature on the form. The MAM/R also stated a daily report was generated for monitoring and tracking unsigned COAs and the Access Management Supervisor (AMS) was responsible for the review of the report and the assignment of staff to obtain the appropriate signatures.

The AMS was interviewed on 10/1/15 at 11:05 A.M. The AMS stated he reviewed the daily unsigned COA tracking logs and assigned staff to obtain the needed signatures. The AMS also said he reviewed the tracking logs for same names appearing, but was unable to explain why Patient 7's name would have been present on the tracking log for multiple days and the patient's COA went unsigned for the 14 days he was in the facility.

According to the facility policy, entitled, Condition of Admission, revised 10/24/14, "Hospital staff shall make continued attempts to have the Conditions of Admission document signed... Daily rounding to patient units to obtain the patient/patient's signature... All attempts to obtain signature on the COA will be documented by the team member initiating the patient follow-up."

Based on interview and record review, the facility failed to ensure documentation in the medication administration record (MAR) reflected the response to a pain medication for 1 of 30 sampled patients (1).

Findings:

Patient 1 was admitted to the facility on 9/26/15, according to the facility's Patient Information form. On 10/1/15 at 10:45 A.M., the MAR for Patient 1 was reviewed with Registered Nurse (RN) 1.

According to the MAR, Patient 1 received a PRN (as needed) of Norco (a narcotic medication used for pain relief) 10/325 milligrams (mg) two tablets by mouth (PO) on 9/29/15 at 9:48 P.M. RN 1 confirmed there was no documentation on the MAR related to the patient's response to the pain medication.

According to the facility policy revised 11/14 and titled, Pain Management: "Reassessment of pain level and level of consciousness should be done one (1) hour after PO intervention. Document in PRN response in medical record."