The information below comes from the statement of deficiencies compiled by health inspectors and provided to AHCJ by the Centers for Medicare and Medicaid Services. It does not include the steps the hospital plans to take to fix the problem, known as a plan of correction. For that information, you should contact the hospital, your state health department or CMS. Accessing the document may require you to file a Freedom of Information Request. Information on doing so is available here.

Based on review of records and interview, the facility failed to develop a grievance process that included the prompt resolution, tracking, and patient notification of investigation results for patient grievances that required investigation into breaches of the Health Insurance Portability and Accountability Act (HIPAA) and patient privacy.

Findings were as follows:

Information provided on behalf of Patient #2 alleged that Patient #2 filed a "formal grievance" on 8/8/2017 with Staff #13. The grievance concerned a breach of HIPPA and Patient #2's privacy. Staff #13 called Patient #2 the week after her discharge to gather further information and told Patient #2 that he had reported the incident to the Chief Executive Officer (CEO), Staff #14.

Review of an email dated 08/09/2017 at 4:12 PM from Staff #13 to Staff #14 confirm that this action did take place.

Review of the Grievance Log for August 2018 showed that no grievance for Patient #2 had been logged.

Information provided on behalf of Patient #2 alleged that Patient #2 had not received any communication from Staff #13 by November. Patient #2 called Staff #13 in November and was told that the matter had been investigated, determined to have not happened, and was closed.

On 8/21/2018, a review was made of an incident report filed by the nursing staff. The entry was dated 8/7/2017 at 9:50 PM, 2 hours and 50 minutes after the alleged HIPAA and patient privacy breach took place. Details documented by the nursing staff in the incident report support that the incident did, in fact, happen as alleged.

On the morning of 8-21-2018, a telephone interview was conducted with Staff #3, the Regional Compliance and Privacy Manager. Staff #3 stated that Patient #2 had contacted Staff #3 in November 2017 in regards to a HIPAA/Privacy breach. Staff #3 stated this was the first time she had heard of the incident. At that point, the incident was investigated and action was taken. Staff #3 stated she sent a letter to Patient #2 on February 26, 2018 and had confirmation of delivery in March 2018. This letter was to notify her that her of the personal information breach. When asked why this incident was not processed as a grievance, Staff #3 stated she did not know why. Staff #3 stated that she did not manage the grievance program and only handled the compliance investigation.

Interview was conducted with Staff #8. Since Staff #13 was no longer employed, Staff #8 was responsible for processing grievances for both Marshall and Longview. Staff #8 was unaware of the details about the grievance in question because it had been previously handled by Staff #13. Staff #8 indicated that neither she or Staff #13 would have processed it as a grievance since the investigation was conducted by the Regional Compliance and Privacy Manager. When asked how patients with grievances concerning HIPPA and privacy breaches were provided the notices required by the grievance process, Staff #8 stated that the Regional Compliance and Privacy Manager was responsible for the investigation and notifications.

A review of policy title, Complaint Resolution, Policy Number: VII - 4, was made. Staff # 2 stated this policy was in effect in August 2017 at the time the grievance was filed. "The following shall be regarded as a grievance: 1) Complaints from patients, or individuals on behalf of the patient, that cannot be resolved promptly by staff present."

Patient #2's grievance required an investigation and could not be resolved promptly. Patient #2's grievance was never processed and followed up on as a grievance.

A review of policy title, Patient Grievances/Complaint Resolution, Effective Date: 1/1/2018 was reviewed. No process was found for the tracking of HIPAA and patient privacy grievances once the investigation was turned over to the Regional Compliance and Privacy Manager. Staff #8 confirmed she did not have a process for tracking them. Staff #8 stated she only noted in the complaint record that the investigation had been turned over and did not follow up at the required time intervals to ensure notices were sent to the patient as required by hospital policy for a grievance.

Hospital policy required the initial notification to be made within 7 days and the follow-up notification be made within 45 days. The incident occurred in August 2017 and the patient did not receive any notifications until March 2018.