HospitalInspections.org

Based on interview and record review the facility failed to protect Patient #1's Protected Health Information when the patient's Emergency Order of Protection was given to Patient #5.

Findings include:

Review of the written complaint, sent to the Texas Health and Human Services regulatory division on 8/3/21 reflected, Patient #5 had been given another patient's (EOP) Emergency Order of Protection for psychiatric care during his admission on 7/21/21. The complaint reported on 7/29/21, the facility had given Patient #5 an EOP and that it had Patient #1's name. The complainant told the facility and was told it was just an error.

Review of Patient #1's medical records reflected the presence of an EOP dated 7/28/21.

During a telephone interview, on the afternoon of 1/11/22, in the administrative conference room, Staff #12, Quality Director confirmed the facility had not received a report of a suspected breech.

During an interview, on the afternoon of 1/11/22, in the administrative conference room, Staff #2, Regulatory confirmed the facility did not have a record of investigating the breech.

Review of the facility provided policy Protected Health information Breach Notification Standard corresponds to General Privacy Policy (dated 11/2021) reflected,
"The purpose of this standard is to describe steps that must be taken in the event of a Suspected or Actual Breach of Unsecured Protected Health lnformation ("Breach") and, when appropriate, to report the Breach as
required by the Health lnformation Technology for Economic and Clinical Health Act (HITECH) or its implementing regulations.
"Breach" or "Actual Breach" means an unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information ...Procedures:
Responding to a Suspected or Actual Breach
2. Risk Assessment ...
the entity, in conjunction with the lRT, will use the HITECH Breach Notification Toolkit to
conduct a risk assessment to determine if the Breach compromises the security or privacy of the PHl. ln
determining whether a low probability of compromise has occurred, this risk assessment will consider the
following four factors:
a. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification;
b. The unauthorized person who used the PHI or to whom the disclosure was made;
c. Whether the PHI was actually acquired or viewed; and
d. The extent to which the risk to the PHI has been mitigated.
3. The Chief Privacy Officer or his/her designee shall document the outcome from the risk assessment for
inclusion into the appropriate reporting system. This documentation is required even if the risk
assessment determines that no notification is required ...
Actions if a Reportable Breach has occurred
1. Notification to individuals. lf, after conducting the risk assessment, the entity and the IRT cannot
determine that there is a low probability of compromise to the Unsecured PHl, a letter will be drafted
notifying the individual(s) of the Breach (Note that it must be adapted for individual state law.) The letter
shall be reviewed, signed, and sent by the RIS-Compliance Chief Privacy Officer or his/her designee. The
IRT will determine the next steps ...
2. Timing of notification. Except for cases in which a law enforcement official requests a delay in notification
(see below), the RIS-Compliance Chief Privacy Officer or his/her designee shall provide notification to the
individual without unreasonable delay and in no case later than 60 calendar days after discovery of a
Breach by the entity or after being informed of a breach by a business associate ..."