Health inspection·February 26, 2021

The following reflects the findings of the California Department of Public Health (CDPH) during an investigation of an entity reported incident or complaint. ACTS Intake Number: CA00660046 Substantiated The investigation was limited to the specific events reported and does not represent the findings of a full inspection of the facility. Representing the California Department of Public Health: Surveyor#: 37779 Based on correspondence, interviews, observation and record review, Facility failed to prevent unlawful and/or unauthorized access to, and use or disclosure of, a patient1's (PT1) medical information, when certified nurse assistant (CNA1) posted photographs on a social media site of PT1, without a business need to do so or written authorization from PT1. Findings: On October 22, 2019, Facility reported a potential breach of confidential medical information to the California Department of Public Health (CDPH). The incident, which Facility became aware of on October 21, 2019, occurred on October 21, 2019, and was reported to Facility by a concerned citizen (CC1). On October 21, 2019, CC1 contacted Facility and spoke with Administrator Assistant (ADM2) and CC1 informed ADM2 that CC1 was a friend follower of CNA1 on social media. CC1 stated to ADM2 that an employee of the facility (CNA1) had posted patient information on a social media site. CC1 sent a copy of the "posts" he viewed on CNA1's social media site about PT1 to ADM2. On February 5, 2020, Surveyor A conducted a telephone interview with ADM2 and the Director of Nursing (DON1). ADM2 stated to Surveyor A that CC1 phoned and spoke with her and stated "one of our employees is posting on [social media site] about your resident. I was like ok, do you have any proof? Then he sent me the picture. He texted me." ADM2 stated she took the information to Facility Administrator (ADM1). On February 5, 2020, the then Director of Staff Development (DSD1), now Director of Nursing (DON1) stated to Surveyor A that she was with ADM1, when ADM2 showed the social media posts to ADM1. DON1 stated she began putting together a Health Information Portability Accountability Act (HIPAA) in-service to in-service the staff. DON1 stated to Surveyor A, she first checked to see if CNA1 was working and she was. DON1 stated that she pulled CNA1 off the floor and took her to the then Director of Nursing's (DON2) office. DON1 stated that CNA1 denied posting the photos to the social media site. On January 17, 2020, Surveyor A conducted a telephone interview with ADM1. ADM1 stated Facility received a telephone call from CC1. CC1 spoke with ADM2 and alleged that he was a friend follower of CNA1 on a social media site, and CC1 believed there was a medical breach, or HIPAA breach. ADM1 stated CC1, "was able to screenshot, because with [social media site], it disappears after a short time." ADM1 stated CC1 sent the social media posts to ADM2, and then ADM2 sent them to ADM1. ADM1 then began an investigation. CNA1 was working that day; CNA1 was called to DON2's office and interviewed about the incident. CNA1 was suspended and escorted off the premises while an investigation ensued. CNA1's employment was subsequently terminated. On January 21, 2020, Surveyor A conducted a telephone interview with CC1. CC1 stated he was browsing through social media and came across PT1 on CNA1's social media. CC1 stated he, "Came across photos, videos, residents exercising in bed, and eating, but the most alarming was a resident laying [sic] in bed who may have passed." CC1 stated the photos were geographically tagged, and they were tagged to a location. CC1 stated he called the location that was tagged, and was told the location he was looking for was next door to them. CC1 was provided the contact information for Facility. CC1 stated he contacted Facility and reported the incident to them. CC1 stated he informed CNA1 on the social media site that he was going to report the posts to her employer. CC1 stated CNA1's response was for CC1 to get a life, and she asked why CC1 cared. CC1 stated he told CNA1 that her posts were an invasion of patient privacy. CC1 stated he decided to report the incident to Facility. Surveyor A's attempts to interview CNA1 were unsuccessful. Surveyor A's record review of the two social media posts showed PT1 with a breathing apparatus with the caption, "My poor [PT1] is dying :((." The other post is a dark screen with the caption, "Guyssss [PT1] Diedddd :(." Surveyor A's record review of Facility's "HIPAA Onboard Training Outline," states, "All resident/patient health information is confidential ...With current modern technology including cell phones, social media and electronic resident/patient charts, healthcare information is more easily accessible than ever before which is why it is important to protect our residents' health information ...All information is protected including hard chart documentation, electronic as well as spoken word ...Our resident's [sic] have the right to confidentiality just as we do." CNA1 received HIPAA Onboard training on June 11, 2018. Surveyor A's record review of Facility's October 19, 2004, "Cell Phone Rules for all Employees," policy states, "Cell phones are not to be carried on your person in the facility. When you come to work you [sic] cell phone should be turned off and left in your purse, locker or car. Not carried by you ...NO CAMERA PHONES ALLOWED IN THE BUILDINGS." Based on correspondence, interviews, observation and record review, Facility failed to prevent unlawful and/or unauthorized access to, and use or disclosure of, PT1's medical information, when CNA1 posted photographs on a social media site of PT1, without a business need to do so or written authorization from PT1.