Inspector’s narrative
What the inspector wrote
Initial Comments
The following reflects the findings of the California Department of Public Health (CDPH) during an investigation of an entity reported incident or complaint.
ACTS Intake Number: CA00712755 Substantiated
The investigation was limited to the specific events reported and does not represent the findings of a full inspection of the facility.
Representing the California Department of Public Health:
Surveyor#: 37381
Health and Safety Code 1280.15 & 1280.18
This Statute is not met as evidenced by:
Based on correspondence, interviews, and record reviews, the facility failed to prevent unlawful and/or unauthorized access to, and use or disclosure of, patients’ (PT1 and PT2) medical information, when activity therapist (AT1) accessed patients’ records when patients were no longer under AT1’s care.
Findings:
On November 13, 2020, the facility reported a potential breach of confidential medical information to the California Department of Public Health (CDPH). The incident, which the facility became aware of on October 24, 2020, occurred on January 25, 2020, and October 24, 2020, and was reported to the facility by the Chief Executive Officer (CEO1).
On September 16, 2022, the facility’s Director of Regulatory Affairs (DRA1) provided Surveyor A information regarding the incident. The information provided was an audit log of the different accesses, copies of employee’s HIPAA training sign in sheets, and the facility’s privacy training material.
On September 19, 2022, upon review of the audit log, Surveyor A discovered that the audit log was for multiple patients and had multiple accesses, but the accesses could have possibly been made during the period when patients were under AT1’s care.
On September 21, 2022, Surveyor A spoke with DRA1 who stated that AT1 was part of the care for PT1 and PT2, both of whom ended up expiring. AT1 reviewed the access records after PT1 was discharged and after PT2 expired. DRA1 indicated that during an interview with AT1, AT1 admitted to accessing PT1’s record on January 26, 2020, and stated she viewed PT1’s record to write discharge notes. However, PT1 was discharged on January 10, 2020. She was then told it was inappropriate to view records after a patient is discharged. AT1 accessed PT2’s record the day PT2 passed away, October 24, 2020. AT1 recalled PT2 being assigned to her care but does not recall going into the notes after PT2 expired. Upon review of the audit log with DRA1, it was confirmed that the audit log contained all AT1’s accesses to PT2’s records. DRA1 stated they would review the accesses and provide a revised audit log showing the inappropriate accesses. On November 17, 2022, DRA1 provided the revised audit logs and screenshots of what AT1 viewed, according to the audit logs. DRA1 also stated that the compliance officer at the time is no longer employed by the facility, so DRA1 was going off the notes from the facility’s investigation.
On October 12, 2022, DRA1 provided revised audit logs of what AT1 viewed and accessed after PT1 and PT2 were no longer under AT1’s care. On November 18, 2022, DRA1 provided screenshots that correspond to the screens AT1 inappropriately accessed according to the audit logs.
On November 23, 2022, Surveyor A reviewed the revised audit log accesses. In reviewing the screenshots AT1 accessed PT1’s record on January 25, 2020 , and viewed the screens storyboard, active meds, treatment, and clinical overview. AT1 accessed PT2’s record on October 24, 2020, from 10:21 AM to 10:24 AM and viewed the screens storyboard, notes, and patient data. In reviewing the screenshots provided, it shows a summary of care and previous visits, and medications.
On October 12, 2022, Surveyor A reviewed the training history AT1 attended which was a printed meeting agenda from a December 10, 2020, HIPPA Refresher (snooping) training . This agenda was signed by various employees and included AT1’s signature. In review of the HIPAA Training Refresher material, it states, “If you access records for non-business purposes, corrective and disciplinary actions may include loss of privileges, impact to your professional licenses and can lead to termination” and, “Practical considerations – Ask Yourself: Do I have a business need to be in a medical record? What do I need to know to do my job (minimum necessary rule)?”
Surveyor A was unable to locate or contact AT1.
CONCLUSION:
Based on correspondence, interviews, and record reviews, the facility failed to prevent unlawful and/or unauthorized access to, and use or disclosure of, patients’ (PT1 and PT2) medical information, when activity therapist (AT1) accessed patients records when patients were no longer under AT1’s care.