|The resident has the right to personal privacy and confidentiality of his or her personal and clinical records.|
Personal privacy includes accommodations, medical treatment, written and telephone communications, personal care, visits, and meetings of family and resident groups, but this does not require the facility to provide a private room for each resident.
Except as provided in paragraph (e)(3) of this section, the resident may approve or refuse the release of personal and clinical records to any individual outside the facility.
The resident's right to refuse release of personal and clinical records does not apply when the resident is transferred to another health care institution; or record release is required by law.
The facility must keep confidential all information contained in the resident's records, regardless of the form or storage methods, except when release is required by transfer to another healthcare institution; law; third party payment contract; or the resident.
Based on review of a Facility Event Report, facility documentation and an interview with the Chief Executive Officer for Catholic Health Care Services, it was determined that the facility failed to safeguard resident protected health information and personal information of residents.
A review of the facility "Notice of Privacy Practices" policy, enacted April 13, 2003 and revised September 22, 2013, which is presented to all residents or responsible parties on admission, states "How medical information may be used and disclosed, the facility's duty to safeguard Protected Health Information (PHI). The facility is also required to follow privacy practices described in this notice; specifically the Federal Health Insurance Portability and Accountability Act of 1996 ( HIPAA Privacy Rule )."
A review of the event report submitted by the facility, revealed that the Director of Clinical Operations for Catholic Health Care Services was in possession of a cellular telephone, on which resident-identifiable information from six nursing care facilities was stored. Review of the event report and documentation submitted by the facility revealed that Protected Health Information collectively included resident names, room numbers, social security numbers, medical information, prescription refill warning, billing questions regarding medical equipment in use, information regarding diagnosis and treatment following incidents that occurred, admission and discharge dates, medical procedures, discharge checklist, abuse investigation, name of family member, legal guardian, equipment codes of medical equipment used by resident, information relating to care plan, initials, date of physician appointments, diagnostic tests ordered, medication information, information regarding nutritional status, and general information shared with staff in an interview.
Further review of the facility event report and submitted information, revealed that the Director of Clinical Operations reported on November 7, 2013, that the cellular phone (I-phone) containing the Protected Health Information was stolen on or about October 11, 2013. A meeting was held of administrators from all of the affected facilities on November 15, 2013, at which time the cellular phone was reported to have been stolen. The cellular phone was not security passcode protected, thereby compromising the privacy and confidentiality of any or all residents whose information had been electronically mailed using this device.
This information regarding the loss of the cellular phone containing the Protected Health Information of residents was not reported to the Department of Health until December 23, 2013.
The above information was confirmed during an interview with the Chief Executive Officer on December 27, 2013.
The facility failed to take timely, adequate, and sufficient measures to ensure the privacy and rights of the residents as it applied to their confidential and private information.
28 Pa Code: 201.14(a)(c) Responsibility of licensee.
28 Pa. Code: 201.18(b)(1)(2)(e)(1) Management.
28 Pa. Code: 211.5(b) Clinical records.
| ||Plan of Correction - To be completed: 01/31/2014|
All affected residents were identified. A review of all resident PHI was completed. All data gathered was analyzed and separated by facility and type of disclosure. Residents and/or responsible parties were notified in writing of the disclosure on December 26, 2013.
The review of the e-mail data identified any other residents who could have potentially been affected. If identified as being affected, the resident and and/or responsible party received a written notification, consistent with the HIPAA/HITECH Breach Notification requirements.
A facility policy, entitled “Lost or Stolen IT Equipment”, was developed on [December 9, 2013 and subsequently revised on December 30, 2013], to protect the privacy and confidentiality of resident personal and clinical information that is stored or accessible on the facility’s equipment and/or network or via mobile devices owned by the facility or staff. All CHCS and facility staff with any devices/equipment able to access the organization’s network or data applications have been educated and trained and will be re-in-serviced annually regarding the proper procedure to initiate and maintain protection of resident personal and clinical information, the utilization of a password/passcode to access mobile devices, and [encrypting any data on such devices]. Staff has also received information regarding appropriate procedures to follow in the event a device is lost or stolen as per the aforementioned policy dated December 9, 2013. All new employees shall be educated and trained regarding the established policies and procedures on privacy practices and use of IT equipment during orientation and annually thereafter. All employees shall continue to receive the “Employee Acknowledgment of Policy” document and shall review and sign such document during their annual evaluation process.
CHCS and the facility will ensure implementation of the system’s policy and procedure on Privacy Practices and Use of IT equipment as well as the policy governing Lost or Stolen IT Equipment. All Administrators are required to maintain a current updated list of all devices or equipment held by employees that are able to access the organization’s network or data applications. Each employee on the list will be required to initiate and maintain a current password/passcode for their devices [as well as encrypt any data on such devices]. The Administrator/designee will audit compliance monthly. This will be reviewed and reported at the monthly QA committee meeting for accuracy and compliance with established policies and procedures.
Completion Date: January 31, 2014
Responsible Person: Facility Administrator