Health inspection·February 27, 2021

Initial Comments The following reflects the findings of the California Department of Public Health (CDPH) during an investigation of an entity reported incident or complaint. ACTS Intake Number: CA00635945 Substantiated The investigation was limited to the specific events reported and does not represent the findings of a full inspection of the facility. Representing the California Department of Public Health: Surveyor A#: 41148 Health and Safety Code 1280.15 This Statute is not met as evidenced by: Based on interviews and record reviews, the facility failed to prevent unlawful and/or unauthorized access to, and use or disclosure of, patient(s) (PT1 –PT214) medical information, when a Licensed Vocational Nurse (LVN1), stored patient medical documents in an off-site storage facility, without a business need to do so or written authorization from the patient(s). Findings: On May 2, 2019, the facility reported a potential breach of confidential medical information to the California Department of Public Health (CDPH). The incident, which the facility became aware of on April 8, 2019, occurred on April 8, 2019, and was reported to the facility by a relative of LVN1 (REL1). On June 5, 2019, Surveyor A visited the Sacramento District Office (DO) to pick up the documents provided to the facility by REL1. The documents included Observation Detail List Reports, Progress Notes, Bowel Management Reports, Copies of Medication Cards, and Facility Activity Reports. On June 5, 2019, Surveyor A reviewed the documents provided by the DO. The Observation Detail List Reports contained patient names, medical record numbers, and diagnosis. The Progress Notes contained patient names and conditions. The Medication Cards contained the patient’s name and name of medication. The Facility Activity reports included patient’s names and progress note entries. On June 13, 2019, Surveyor A interviewed Executive Director (ED1) at the facility. ED1 stated on April 8, 2019, REL1 brought documents and items to the facility that he found in his storage unit that contained medical information. REL1 stated he thought there could be more documents and items at the storage unit. On April 9, 2019, ED1 and Vice President of Health Services (VP1) met REL1 at the storage facility and collected the remaining medical documents. ED1 described the storage unit as being located at a secured storage facility with access only through a locked gate, which required the entry of a numerical key code. ED1 added the storage facility had security cameras throughout the storage facility. ED1 returned the remaining documents to the facility, where a Quality Compliance Nurse (QCN1) from the facility's corporate compliance office created an itemized list of the documents. ED1 stated the facility's policies did not allow employees to take documents from the facility. ED1 stated LVN1 and other facility staff routinely printed and used documents for care purposes throughout the facility, but the documents are to be disposed of in a designated shred bin prior to leaving the facility. LVN1 did not have a business need or authorization from the patients to take documents from the facility. The documents discovered ranged in date from 2013 to present (2019). ED1 stated he did not know he had to notify CDPH about the breach, and that patients were notified on May 30, 2019. On June 19, 2019, Executive Director (ED1) submitted the facility's Confidentiality Agreement, and the Corporate Compliance Program, policies titled HIPPA: Privacy Policies and Procedures, Privacy and Security, Disclosure of Patient Health Information (PHI) without Authorization, Authorization for Disclosure of PHI. On June 19, 2019, Surveyor A reviewed the documents submitted by ED1. The Confidentiality Agreement stated, "It is the policy of the facility to require that all employees maintain all company-owned information of a confidential nature in the strictest confidence." The Confidentiality Agreement continued, "Employee shall not remove, transfer, or transmit confidential information from company premises except as authorized by his/her supervisor." On LVN1 signed the Confidentiality Agreement on January 11, 2012. The Corporate Compliance Program stated it was created to ensure every employee understands and complies with the laws and regulations that affect the services provided by the facility. Per the Corporate Compliance Plan, employees will secure the records and documents in a safe place, and employees have an obligation to ensure the Corporate Compliance Program is successful. On September 6, 2016, LVN1 signed an employee verification statement attesting she completed training on Corporate Compliance. The HIPPA Privacy Policies and Procedures, and Privacy and Security required the facility to comply with all applicable state and federal laws governing the privacy and confidentiality of protected health information. The HIPPA Disclosure of PHI without Authorization stated the facility would not disclose PHI without authorization from the individual or the individual’s representative. The HIPPA Authorization for Disclosure of PHI stated if an individual’s PHI is to be used or disclosed for purposes other than treatment, payment, or health care operations, the facility will obtain a signed written authorization from the individual, or the individual’s legal representative, unless permitted or required by law. On June 27, 2019, Surveyor A interviewed VP1 by telephone. VP1 stated he went to the storage facility to accompany ED1. REL1 provided a box of documents to ED1, and ED1 and VP1 exited the storage facility. VP1 stated it is routine for facility staff to print and use documents to provide care at the facility, but not to take them off-site. On July 15, 2019, Surveyor A interviewed QCN1 by telephone. QCN1 was sent to the facility to inventory the documents recovered by ED1. QCN1 inventoried the documents and provided ED1 an itemized list. The documents and items were stored in two cardboard boxes. There were no other documents in the boxes, other than the documents inventoried. On July 19, 2019, ED1 submitted LVN1's jobs description, copies of patient notification letters, and a complete list of patients involved in the incident. LVN1's job description included a Corporate Compliance section, which stated, " As an employee of Facility, fully complies with all provisions in the Corporate Compliance Policy." On May 31, 2012, LVN1 signed the job description. On May 30, 2019, the facility mailed the patient notification letters; informing the patients that they became aware of a potential breach of the patient’s medical information on April 8, 2019. The completed list of patients involved provided by the facility totaled 214 patients. On August 6, 2019, Surveyor A interviewed PT128's authorized Representative (AR1). AR1 recalled receiving a notification letter from the facility. AR1 stated she was not concerned about the issue and had confidence in the facility. AR1 reported no issues as a result of the incident. On August 13, 2019, Surveyor A interviewed PT2 by telephone. PT2 recalled receiving a notification letter from the facility in the mail, and reported no issues as a result of the incident. PT2 was not concerned about the incident having a negative impact. On August 28, 2019, Surveyor A interviewed PT76's Authorized Representative (AR2). AR2 recalled receiving a notification letter from the facility. AR2 stated she was not concerned about the issues and reported no negative impact to PT76. On August 16, 2019, Surveyor A interviewed PT179's Authorized Representative (AR3). AR3 stated she received notification of the incident from the facility by mail. AR3 was not concerned about the issue and stated PT179 suffered no negative impacts as a result of the incident. On August 16, 2019, Surveyor A interviewed PT58's Authorized Representative (AR4). AR4 stated she received notification of the incident from the facility by mail. AR4 was not concerned about the issues, would continue to monitor, and stated PT179 suffered no negative impacts as a result of the incident. Surveyor A attempted to contact LVN1 by the telephone number provided by the facility and by mail. As of the date of this report, LVN1 has not responded to any contact attempts. CONCLUSION: Based on interviews and record reviews, facility failed to prevent unlawful and/or unauthorized access to, and use or disclosure of, PT1 – PT214’s medical information. The breach occurred when LVN1 took patients’ medical information from the facility, and then stored patient’s medical documents in an off-site storage unit, without a business need to do so or written authorization from the patient or the facility. Health and Safety Code 1280.15(b)(1) This Statute is not met as evidenced by: Based on interviews and record reviews, the facility failed to report the unlawful and/or unauthorized access to, and use or disclosure of, PT1 – PT214’s medical information, to the CDPH within 15 business days from date of breach detection by the facility on April 8, 2019. Facility notified the CDPH of the breach on May 2, 2019, which is three days late. Findings: On May 2, 2019, the facility reported a potential breach of confidential medical information to the CDPH by the facility. The incident, which the facility became aware of on April 8, 2019, occurred on April 8, 2019, and was reported to the facility by ED1. On Jun 11, 2019, Surveyor A reviewed written notification of the breach from facility to the CDPH. Review confirmed that facility notification was dated May 2, 2019, and that the breach was detected on April 8, 2019, which validates the notice being three days late. Health and Safety Code 1280.15(b)(2) This Statute is not met as evidenced by: Based on interviews and record reviews, the facility failed to report the unlawful and/or unauthorized access to, and use or disclosure of, patient PT1 - PT214’s medical information, to the affected patient(s) [or patient’s representative] within 15 business days from date of the breach detection for each patient by the facility. Facility detected the breach of PT1 – 241’s medical information on April 8, 2019 and notified PT1 – PT214 on May 30, 2019, which is 31 days late. Findings: On May 2, 2019, the facility reported a potential breach of confidential medical information to the CDPH. The incident, which the facility became aware of on April 8, 2019, occurred on April 8, 2019, and was reported to the facility by ED1. On July 19, 2019, Surveyor A reviewed written notification(s) of the breach from the facility to PT1-PT214. Review confirmed that the notification(s) to PT1-PT214 were dated May 30, 2019, and that the breach was detected on April 8, 2019, which validates the notice being 31 late. 1