HospitalInspections.org

Based on interviews and record reviews, the facility failed to protect patient personal and confidential medical information. On November 22, 2016, Employee 1 (clinical care partner) took a picture of the computer screen using his personal cell phone showing patient names including Patient 1 and posted it on Instagram. On November 22 and 23, 2016 Employee 2's daughter posted in her Twitter account Patient 1's admission and diagnosis.

Findings:

a. During an interview on January 17, 2011, at 8:55 a.m., the facility's chief compliance and privacy officer stated on November 22, 2016, Employee 1 (clinical care partner) took a picture of the computer screen using his personal cell phone showing patient names including Patient 1 and posted it on Instagram.

A review of the medical record indicated Patient 1 (a high profile patient) was admitted to the facility on November 21, 2016.

During a tour of the psychiatric unit on January 17, 2017, at 9:48 a.m., the intensive care unit consisted of 6 beds. Patient 1 at the time of admission occupied room 4139. Room 4139 was located at the end of the hall approximately 75 feet from the nurses' station.

The adult psychiatric unit consisted of unit A, B, and C. Any employee assigned to the unit could access the computer and view all the patients' records admitted to all three units.

On November 22, 2016, Employee 1 was working in unit A of the adult psychiatric unit. Patient 1 was admitted to Unit B on November 21, 2016. It was not determined during the facility's investigation whether Employee 1 accessed the computer from unit A or B. The computer screen showed 16 patients. Patient 1's pseudonym and legal name, room number, age and gender were not redacted. The name, room number, age, gender and diagnosis of 15 other patients were not redacted.

A review of Employee 1's file indicated that his date of employment was October 17, 2016. Employee 1 signed the confidentiality agreement on September 8, 2016. The confidentiality agreement stipulated that Employee 1 understood and acknowledged that he shall respect and maintain all discussions, deliberations, patient care records and any other information generated in connection with individual patient care, risk management and/or peer review activities. Employee 1 understood and acknowledged that it was his legal and ethical responsibility to protect the privacy, confidentiality and security of all medical records, proprietary information and other confidential information relating to the facility and its affiliates and medical information relating to patients, members, employees and health care providers.

Employee 1 was placed on administrative leave on November 28, 2016. On January 10, 2017, Employee 1 was no longer eligible for scheduling in his position as a per diem clinical care partner.


11683

b. A review of the Personnel File of Employee 2 indicated, the employee was hired on June 22, 1994, as Psychiatric Technician. On November 23, 2016, a letter from the facility was sent to Employee 2 informing him he was placed on an investigatory leave with pay effective November 23, 2016.

Review of the Confidentiality Statement signed by Employee 2 on November 20, 2008, with Supervisor's initial indicated Employee 2 agree to the following:

1. To protect the privacy, and security of confidential information at all times, both during and after my employment with the University of California had terminated.

2. To access confidential information to the minimum extent necessary for my assigned duties and disclose such information only to persons authorized to receive it.

3. I understand the following:
a. The [Facility Name] Health System tracks all users IDs used to access electronic records, Those IDs enable discovery of inappropriate access to EITHER employee records or patient records.

b. Inappropriate access and unauthorized release of protected information will result in disciplinary action, up to and including termination of employment, and may result in disciplinary action.

c. User IDs cannot be shared. Inappropriate use of my ID (whether by me or anyone else) is my responsibility and exposes me to severe consequences.

Review of the Daily Assignment Log dated November 22, 2016, indicated Employee 2 worked on the 7 a.m. to 7 p.m., shift on Unit B (4 East). The employee worked on the 7 p.m. to 7 a.m. shift in Unit C ( 4 East ICU) for 4 hours from 7 p.m. to 11:30 p.m. without any patient assignment. The employee was assisting the unit for whatever was needed. At 10 p.m. to 11 p.m., the Employee was assigned to Patient 1 as a one on one.

On November 22, 2016 at 11:37 p.m., Employee 2's daughter posted on her Twitter account "My Dads a psyche tech at the [Facility Name] where Patient 1 was admitted & my dad took care of him today & he said he's actually really nice." It was noted 3 likes the posting.

On November 22, 2016, at 11:39 p.m., Employee 2's daughter posted again in her Twitter account "My Dad confirmed, Patient 1 had a mental break down and is psychotic rn lol". It was noted 2 likes the posting.

On November 23, 2016 at 1:18 a.m., Employee 2's daughter posted again on her Twitter account "Alright 'lol' had to delete those tweets. Haha too many people liking it (emoji-an animal character) don't want my dad getting fired 'lmao.'

During an interview with registered nurse (RN) 1, Assistant Nurse Manager on January 17, 2017, at 8 a.m., she stated she was made aware of personal information leaked out in Twitter regarding Patient 1 on November 23, 2016. RN 1 immediately notified the hospital leadership via e-mail to start the investigation immediately. The result was immediate and found out Employee 2's daughter posted in her Twitter account regarding Patient 1.

Review of the investigation report indicated on November 22, 2016, the daughter of
Employee 2, has tweeted information about Patient 1's diagnosis that was provided to her by her father (Employee 2). The tweets were later removed that day. The report indicated it was inappropriate disclosure to a non-workforce member without a business purpose. The documentation also indicated that during the investigation Employee 2 never admitted to doing it. The daughter's intent was to share information for popularity.

Review of the facility policy HS 9401 titled, "Protection of Confidential Patient Information (Protected Health Information (PHI) indicated All members of the [Facility Name] Health Workforce should only access and use PHI as necessary for their job functions. Repeating or in any was disseminating patient information either by oral communication or in writing, except as permitted herein or required by law is considered an unauthorized release of medical information and is a serious offense which may have personal civil and/or criminal liability. Violation of this policy constitutes ground for disciplinary action up to and including termination.