HospitalInspections.org

Bringing transparency to federal inspections

BEAR VALLEY COMMUNITY HOSPITAL

41870 GARSTIN DR

BIG BEAR LAKE, CA null

PATIENT RIGHTS: CONFIDENTIALITY OF RECORDS

Tag No.: A0147

Based on interview and record review the facility failed to follow their policy on patient confidentiality to ensure:

1. The confidentiality of 102 patients was protected. The facility failed to ensure that Staff 1 did not access computerized records of 102 patients' medical health information. This resulted in 132 actual breaches of protected health information. This failure had the potential to negatively affect any patient requiring healthcare in the facility's healthcare system.

2. The confidentiality of 1 of 14 sampled patients (Patient 11) was protected. This resulted in an unauthorized release of Patient 11's protected health information.

3. The confidentiality of 1 of 14 sampled patients (Patient 10) medical information was protected. This failure resulted in an unauthorized release of Patient 10's protected health information to another patient's (Patient 9) family member.

Findings:

1. A review of the facility's investigation of a breach of 102 confidential patient records was conducted on September 27, 2012. The investigation documented, "Discovery of inappropriate access of 102 patient records by (Staff 1)."

A review of the facility's audit result, conducted by the facility on July 3, 2012, revealed that 102 patient records were accessed by Staff 1 and several of the records were accessed more than one time from 4/3/12 to 6/28/12. The total times that Staff 1 had accessed protected health information of patients was 132 times. The audit contained an area for the facility to document if there was a "need to know" of the information accessed and each time it was recorded as "no". In each inappropriate access to the medical record, the facility had recorded that Staff 1 had accessed the "Entire Chart" on each record except for one record. The one record that did not indicate that the entire chart was accessed had an indiction that progress notes were accessed.

An interview was conducted with the Director of Health Information Management (DHIM) on September 27, 2012 at 9 AM. She stated that the facility had detected the breach of 102 records by Staff 1 during a routine audit of patient's computerized records. The DHIM stated that the employee (Staff 1) accessed multiple patient records and that some of the records were accessed multiple times. The DHIM stated that there was no reason for Staff 1 to access the material. She stated that Staff 1 was a mail courier for the business office and she only needed to access the patient's face-sheet (the face-sheet contained patient demographic information). The DHIM stated that Staff 1 need to access the patient's face-sheet if billing was sent out and then returned. Staff 1 would need to check the face-sheet for alternate addresses where the billing could be sent. The DHIM stated that Staff 1 did not "need to know" any other information in a patient's medical record. The DHIM was asked what information was accessed. She replied that there were emergency department notes, assessments, medication information and, most times, the entire medical record. She confirmed that there were 102 patients who had their protected medical information accessed without a need to know by Staff 1.

An interview was conducted with the Director of Human Resources (DHR) on September 27, 2012 at 10:40 AM. She stated that she interviewed Staff 1 after the inappropriate access was identified. The DHR stated that when interviewed, Staff 1 initially reported to not remember why she had accessed the records, however later in the interview, Staff 1 stated that she accessed the records in response to her co-works asking her for help. She identified three co-workers that she stated asked her to look further into the patient's medical record: Staff 2, Staff 3, and Staff 4. The DHR stated that the facility interviewed all three co-workers and they denied asking Staff 1 to look further into the medical record.

A review of the job description for Staff 1 was conducted. There was no documented reason for the employee to look into a patient's chart, further than the face-sheet.

An interview was conducted with the Director of Patient Accounts (DPA) (Staff 1's direct supervisor) on September 27, 2012 at 11 AM. She stated that Staff 1 did not "need to know" any information in the medical record except for the addresses on the face-sheet for the purpose of return billing. The DPA stated that Staff 1 was under suspicion because a co-worker had reported about two (2) months prior that he thought that Staff 1 might be looking at information that she did not need to know. The DPA stated that there was no evidence to support the claim at that time however, the DPA had spoken to Staff 1 regarding patient confidentiality. The DPA stated that she had never witnessed any other staff directing Staff 1 to look further into a patient record. She confirmed that according to the job description for Staff 1, that there was no reason for Staff 1 to review patient's confidential medical information.

An interview was conducted with Staff 2 on September 27, 2012 at 1 PM. She stated that to do her job, she reviews the financial information of a patient. Staff 2 stated that she would not have a need to know any confidential medical information about a patient. She stated that she did not at any time request that Staff 1 look up medical information about any patient.

An interview was conducted with Staff 3 on September 27, 2012 at 1:10 PM. She stated that she does have to review certain medical formation to do her job however, the amount of information is limited and does not entail the entire medical record. She stated that she did not, at any time, request that Staff 1 look up medical information about any patient.

An interview was conducted with Staff 4 on September 27, 2012 at 1:20 PM. She stated that she does have to review certain medical formation to do her job however, the amount of information is limited and does not entail the entire medical record. She stated that she did not, at any time, request that Staff 1 look up medical information about any patient.

Staff 1 no longer worked for the facility and was not available for interview.

A review of the facility's policy titled, "Confidentiality of Patient Information", dated March 30, 2012, revealed that "(hospital name) shall maintain the confidentiality of information pertaining to its patient, employees, volunteers, contractors, and hospital business. All employees and agents of the hospital have a moral, professional, and legal obligation to protect the confidentiality of information."

A follow up interview was conducted with the DHIM on September 27, 2012 at 2 PM. She confirmed that Staff 1 did not follow hospital policy regarding the confidentially of 102 patients' protected health information.

2. A review of the facility's investigation of a breach in patient confidentiality was conducted on September 27, 2012. The investigation revealed that a privacy breach had occurred on May 12, 2012. A patient in the Emergency Department (ED) was given a CD that belonged to Patient 11. The information that was given to the patient was:

Patient 11's name
Patient 11's Medical Record Number
Patient 11's X-rays (three different procedures)

An interview with the DHIM was conducted on September 27, 2012 at 10 AM. She stated that a patient in the ED was given the wrong CD containing x-ray images of another patient. The DHIM stated that the patient took the CD to her physician's office and it was the physician who discovered the error. She stated that the physician called the facility and the patient returned the CD to the facility. The DHIM stated that the patient would not have been able to open the CD, as it required a special computer program to open and run the images. The DHIM confirmed that the patient did receive another patient's (Patient 11) protected health information and that the reason the patient received the incorrect information was facility error.




28020


3. A record review on September 27, 2012 at 10:40 AM revealed that Patient 10 was seen in the facility's Emergency Department (ED) on August 9, 2012 and was discharged the same day.

An interview and a concurrent record review were conducted with the Director of the Health Information Management Department, on September 27, 2012 at 10:40 AM. She stated that Patient 9 was seen in the facility's ED on August 9, 2012, released the same day and Patient 9's mother was provided "After-Care Instructions" (discharge instructions) for Patient 9. On August 10, 2012, Patient 9's mother returned to the facility inquiring about the "After-Care Instructions" which were provided to her by an ED staff. The Director of the Health Information Management Department stated that Patient 9's "After-Care Instructions" was mislabeled with Patient 10's medical information which contained protected health information (PHI) of Patient 10.

During an interview, on September 27, 2012 at 10:50 AM, with the Director of the Health Information Management Department, she stated that an ED nurse accidentally mislabeled Patient 9's "After-Care Instructions" with Patient 10's label which contained Protected Health Information (PHI).
A record review, on September 27, 2012 at 11 AM, of the facility policy titled, "Confidentiality of Patient Information, approved on 3/30/12," indicated the following: "...(Name of Facility) shall maintain the confidentiality of information pertaining to its patients, ...All employees and agents of the hospital have a moral, professional, and legal obligation to protect the confidentiality of information ..."