HospitalInspections.org

BASED ON record review and interview, the facility failed to ensure the patient's right to privacy and confidentiality of information when 29 patients' information was erroneously / unintended forwarded to Patient #1's wife on 1/22/2025. On 1/23/2025 Patient #1's wife notified the facility of the violation. (29 of 29 / Patient #1, #2, #3, #4, #5, #6, #7, #8, #9, #10, #11, #12, #13, #14, #15, #16, #17, #18, #19, #20, #21, #22, #23, #24, #25, #26, #27, #28, and #29).

The facility failed to follow their policy to assess and remedy the breach from the 1/23/2025 notice until the 4/01/2025 surveyor injuiry.

Findings

The 1/22/2025 forwarded email to Patient #1's wife contained 35 pages of the 29 patients in the hospital on 1/21/2025 list of patients, individually listed patient supplies, services, and associated fees. The information included patient name, patient number, date of service, amount of charge for room and board, as well as individual charges per patient of hemodialysis, feeding pump, oxygen, wound dressings, isolation supplies, wound vac, wound gel, trach supplies, suction, reagent strips, mattress, bariatric bed, intravenous solutions, irrigation, abdominal binder, gait belt, speaking valve, sling, male/female catheter, bladder scan, assorted x-rays, Angiography, assorted laboratory testing, telemetry, doppler, ventilator, trach care, suctioning, therapy (physical, occupational, speech), and each listed medication.

Patient #1's wife and receiver of this patient information forwarded the 1/22/2025 email to the facility CEO on 1/23/2025 to notify the facility of the violation.

No actions were completed or documented by the facility since the time of notification of the violation.

During an interview in the education conference room on 4/01/2025 at 1:20 PM, Personnel #1 was asked about the 1/23/2025 email that showed a 1/22/2025 violation of HIPAA and what was done to correct the violation when she received it. Personnel #1 stated she forwarded to the Compliance Officer but had not heard back on it. Personnel #1 was asked for the forwarded email to compliance. Personnel #1 stated she could not find it but forwarded it again. Personnel #1 stated I thought I sent it but am not able to locate it in my sent file. Personnel #1 was asked to confirm that it appears today that this is the first compliance heard of the violation. Personnel #1 agreed.

The facility's 1/27/2025 last reviewed "Uses and Disclosures of Protected Health Information (PHI)" policy required, "federal HIPAA regulations on patient privacy and confidentiality place restrictions on our ability to use and disclose that information..."

The facility's 1/27/2025 last reviewed "Beach Notification" policy required, "all employees will access, use and disclose protected health information only as permitted...in the event that a breach of unsecured PHI occurs...Reporting a Breach - Any workforce member, business associate, or data owner who believes that a breach has occurred, should immediately notify their supervisor and or Select Medical representative of the occurrence. The potential breach should then be reported to the Privacy Officer...determine the appropriate breach notification requirements...proceed with required notifications..."