Inspector’s narrative
What the inspector wrote
Initial Comments
The following reflects the findings of the California Department of Public Health (CDPH) during an investigation of an entity reported incident or complaint.
ACTS Intake Number: CA00702794 Substantiated
The investigation was limited to the specific events reported and does not represent the findings of a full inspection of the facility.
Representing the California Department of Public Health:
Surveyor#: 41148
Health and Safety Code 1280.15 & 1280.18
This Statute is not met as evidenced by:
Based on interviews and record reviews, the facility failed to prevent unlawful or unauthorized access to, and use or disclosure of, patient (PT1’s) medical information, when Activity Therapists (AT1) and (AT2) accessed and viewed PT1’s Electronic Medical Record (EMR), without a business need to do so or written authorization from PT1.
Findings:
On August 26, 2020, the facility reported a potential breach of confidential medical information to the California Department of Public Health (CDPH). The incident occurred on June 24, 2020, and July 7, 2020. On August 27, 2020, the facility detected the breach via a privacy office systems audit. On August 28, 2020, the notification letter for PT1 was issued to Power of Attorney (POA1).
INVESTIGATION FINDINGS:
On August 22, 2022, Surveyor spoke to Director of Regulatory Affairs (DRA1) by telephone to confirm the correct email address to send document request letters.
On August 23, 2022, Surveyor sent the document request letter to DRA1 via email.
On September 5, 2022, DRA1 provided requested documentation.
On September 6, 2022, Surveyor reviewed the documents provided by DRA1. DRA1 provided the facility’s Confidential Privacy Breach Report, AT1’s access audit logs, trainings completed by AT1, copies of Privacy Pulses signed by AT2, San Francisco Department of Public Health (SFDPH) Privacy Policy, Authorization for Use and Disclosure of Protected Health Information policy, SFDPH Policy HIPAA Compliance: Administrative Requirements, copy of the sanctions imposed on AT1, and a copy of the notification letters sent to PT1’s next of kin .
Surveyor reviewed The Confidential Privacy Breach Report from the facility which was dated August 28, 2020. Per the report, a privacy audit on PT1’s record suggested AT1 and AT2 accessed PT1’s EMR without authorization. The privacy audit was conducted on PT1’s EMR due to PT1 being in the news with reference to the facility. The audit parameters for the audit were June 24, 2020, to July 31, 2020, and included all facility employees. PT1’s EMR had the Break-the-Glass (BTG) security feature put in place on July 6, 2020, which was after AT1 And AT2 accessed PT1’s EMR. Break-the-Glass is an EMR feature that forces users to think twice about patient information they are about to access. A security screen will appear for the record about to be accessed and requires users to enter a reason why access is needed to a record marked a sensitive. AT1 accessed PT1’s EMR on June 24, 2020, and viewed nursing notes, social worker notes, storyboard, and patient chart. AT2’s accessed PT1’s EMR on July 2, 2020, and viewed PT1’s chart.
On August 27, 2020, Activity Therapy Director (ATD1) interviewed AT1 and AT2. AT1 stated they were on PT1’s care team in March of 2020 and were curious. The facility determined that AT1 accessed and viewed protected health information (PHI) in a manner not permitted by HIPAA. AT1 accessed the EMR out of curiosity without a business need. Based on the facility’s risk assessment, the incident constituted a reportable breach. AT2 stated AT2 had not been on PT1’s care team but wanted to help create a memorial for PT1. AT2 discussed the situation with a social worker and was informed it was not acceptable to do a memorial. Facility determined that AT2 accessed and viewed PHI in a manner that was permitted by HIPAA. The employee accessed the EMR that was related to operational purposes with an intent to organize a memorial on PT1’s floor. Based on the facility’s risk assessment, the incident did not constitute reportable breach. On August 27, 2020, AT1 and AT2 were counseled on proper viewing of records related to HIPAA.
AT1’s access audit demonstrated AT1 accessed PT1’s record on June 24, 2020, from 16:11 (4:11 pm) to 16:13 (4:13 pm) for total of 3 minutes. A document titled Class Progress demonstrated AT1 completed DPH Annual Compliance and Privacy Training- FY2019/2020. Privacy Pulse October 2018, April 2020, Summer 2020, and Winter 2020 editions were provided. Each edition listed and defined 5 top common HIPAA violations as follows: mishandling of medical information, unauthorized access of patient information (snooping), employee disclosing patient information, lost, or stolen electronic devices and social media. Snooping was defined as, “employees accessing patient information when they are not authorized is another common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for a relative or friend, this is illegal and can cost the hospital substantially in penalties. Individuals may be subject to fines and even prison time, loss of privileges, impact to their professional license and termination of employment.” AT2 signed each addition on August 29, 2020.
The SFDPH Privacy Policy was adopted in March of 2003 with the last revision on September 23, 2013. The purpose of the policy is to provide guidance to facility employees by setting basic requirements for protecting confidentiality of medical information as required by the privacy rule. The policy pertains to all individuals in the facility who may access, use, or disclose PHI, regardless of SFDPH division or unit. Per the policy, section 3. Definitions, Background stated, “The basic tenet of the Privacy Rule is that providers may use and disclose PHI without the individual’s authorization only for treatment, payment, and health care operations, as well as certain public interest related purposes such as public health reporting. Other uses and disclosures of PHI generally require the written authorization of the individual.”
The Authorization for Use and Disclosure of Protected Health Information policy had an effective date of April 2003 and was last revised on September 23, 2013. The purpose of the policy is to comply with the HIPAA privacy rule, as well as relevant state and federal laws controlling the release of PHI, by establishing a process to obtain proper authorization for the use or disclosure of PHI when necessary and appropriate. Per the policy, section 4, numeral II A.1, “An authorization is required in the following situations: Per the HIPAA Privacy Rule for use of PHI by SFDPH, its providers, its affiliates and its contract providers for purposes not related to treatment, payment, or health care operations. Section VI continued, for deceased clients/patients, the patient representative (next of kin or executor of estate) has the rights that the patient would have had relative to access and release of the record.”
SFDPH Policy HIPAA Compliance: Administrative Requirements stated, SFDPH shall designate a privacy officer responsible for developing and implementing policies and procedures regarding HIPAA. It is the responsibility of SFDPH, through the privacy officer, to provide privacy training to all SFDPH personnel who produce, transcribe, store, transmit or otherwise have access to PHI. The copy of the sanctions imposed on AT1 stated AT1 accessed PT1’s record without a legitimate business need.
Surveyor completed a review of the facility Confidential Investigative Report on AT1 dated September 24, 2020, and confirmed the access of PT1’s EMR was because AT1 “cared about the resident and was curious.” On September 1, 2020, a formal interview was held with AT1. AT1 cared for PT1 from September 2019 through March of 2020. After AT1 learned PT1 was deceased, AT1 viewed a physician note as part of the grief proces s and did not remember looking at other entries in PT1’s record despite the access audit indicating eight entries. AT1 admitted to not having a business reason to access PT1’s record. AT1 attested to completing privacy training and knowing that employees cannot access PHI for any patient without a business need. b. AT1 admitted to looking at other residents who had passed while under her care without a business need but did not provide names. AT1 was terminated because of the incident.
On October 28, 2022, Surveyor interviewed Privacy Officer (PO1) and DRA1 while RN2 was present via Microsoft TEAMS. PO1 confirmed the facility’s Confidential Privacy Breach Report information to be accurate. The access was detected through a proactive audit put in place due to PT1 being a high-profile patient. The access audit information categories were defined in detail. Time Stamp was the time of access and Date was the date the record was accessed. The note category was what AT1/A2 did or looked at while in the record. Event Area was the tab/folder category and type was viewed which was defined as only looked at and nothing printed. Encounter was the date of admission, Platform was the EMR, and Ass essment Data was the specific items viewed. AT1 and AT2 previously cared for PT1 but were not assigned to care for PT1 at the time of access. AT1’s access was deemed to be without a business need and AT1’s employment was terminated because of the incident. Memorials for patients were commonplace on the unit where PT1 was housed, and as a result, the facility determined AT2’s access to be appropriate. AT2 only accessed information that showed things PT1 personally liked to setup a memorial for PT1. Surveyor requested the job description for ATs, screen shots of what was viewed, AT1’s access audit, and any additional related policies.
On November 4, 2022, DRA1 and RN2 provided the SFDPH Privacy Policy and AT job description, and surveyor reviewed the documents provided. The SFDPH Privacy Policy was effective March of 2003 and last revised on July 1, 2019. The policy’s purpose was to provide guidance to SFDPH employees, contractors, students, and volunteers by setting forth the basic requirements for protecting the confidentiality of patient medical information. The policy provided an overview of HIPAA and other federal and state regulations which SDPH employees are required to follow.
Per the policy, section 3, numeral VI A., “SFDPH shall obtain an individual’s authorization prior to the use or disclosure of PHI for reasons other than SFDPH treatment, payment or health care operations, or purposes required by law.” Section 3, numeral VI C. continues, “Because it is focused on a particular use or disclosure, an authorization must be specific about the information to be disclosed, who may disclose it, and who may receive it. It must also be limited.” The AT job description stated AT’s perform comprehensive assessments to determine the individual needs of assigned residents in addition to collaborating with other disciplines and staff to provide opportunities and resources to achieve leisure related goals.
On December 14, 2022, PO1 provided the screen shots of the story board and notes viewed by AT1. Surveyor reviewed the documents provided by PO1. The storyboard viewed by AT1 contained PT1's name, date of birth, medical record number, address, and social security number. The notes viewed by AT1 contained PT1’s name, date of birth, medical record number, medical history, and medical conditions.
AT1 and AT2 are no longer employed by the facility. The facility would not provide their personal contact information.
On January 12, 2023, DRA1 informed Surveyor the facility HR staff reached out to AT1 and AT2 on the week November 15, 2022. Messages for AT1 and AT2 were left with Surveyor’s contact information and were asked to contact Surveyor. As of the date of this report, AT1 and AT2 have not contacted Surveyor.
CONCLUSION:
Based on interviews and record reviews, facility failed to prevent unlawful or unauthorized access to, and use or disclosure of, PT1 medical information (PMI). The breach occurred when AT1 and AT2 accessed and viewed PT1’s EMR, without a business need to do so or written authorization from PT1.