The information below comes from the statement of deficiencies compiled by health inspectors and provided to AHCJ by the Centers for Medicare and Medicaid Services. It does not include the steps the hospital plans to take to fix the problem, known as a plan of correction. For that information, you should contact the hospital, your state health department or CMS. Accessing the document may require you to file a Freedom of Information Request. Information on doing so is available here.
|NORTH COUNTRY HOSPITAL AND HEALTH CENTER||189 PROUTY DRIVE NEWPORT, VT 05855||Dec. 26, 2013|
|VIOLATION: PROTECTION OF RECORD INFORMATION||Tag No: C0308|
|Based on staff interview and record review, the hospital failed to develop an active surveillance process for assuring confidentiality and privacy of private health information for (2) electronic medical records (EMR). Patients # 1 & 2. Findings include:
Per staff interview on December 26, 2013 at 11:10 AM the Chief Compliance Officer confirmed that two hospital patient records had been breached. The first breach , # 1 occurred on August 8, 2013, and the second breach, # 2 occurred on October 29, 2013.
Record # 1 was discovered as a breach upon the request of a treating cliniician to have an audit conducted based on health information contained in the EMR that was disclosed to him/her by an unauthorized employee-user. The audit confirmed the unauthorized user had breached the medical record on several occasions. The unauthorized user subsequently elected to take an early retirement.
Record # 2 was discovered to have been breached when the patient requested to have an audit completed based upon suspicion that an unauthorized employee had gained access into his/her EMR. The audit confirmed that an employee gained access into the patient's EMR without authorization as indicated in facility policy. The unauthorized employee was then terminated from employment.
The facility administration has an established Information Security Management Team (ISMT) consisting of multidisciplinary membership. To date, as of December 26, 2013 the ISMT has not developed or implemented an auditing system that protects the confidentiality of patient medical records. Both discovered breaches were brought forward by employee suspicion and not through an active alert-identification process facilitated via ongoing or random auditing. The Chief Compliance Officer confirmed on December 26, 2013 at 3:00 PM that there is not an ongoing or random audit program currently in place.