Skip to main content

Inspection visit

Other

Clean visit · 0 citations

Inspector’s narrative

What the inspector wrote

Initial Comments The following reflects the findings of the California Department of Public Health (CDPH) during an investigation of an entity reported incident or complaint. ACTS Intake Number: CA00698368 Substantiated The investigation was limited to the specific events reported and does not represent the findings of a full inspection of the facility. Representing the California Department of Public Health: Surveyor#: 41148 Health and Safety Code 1280.15 - Tag 170 This Statute is not met as evidenced by: Based on interviews and record reviews, the facility failed to prevent unlawful or unauthorized access to, and use or disclosure of, patient(s) (PT1–PT7’s), Outpatient Rehabilitation Patient (ORP1’s), and Visitor1 (VIS1’s) information, when Volunteer (VOL1) took and posted pictures to his Instagram (social media) account while volunteering at the facility, without a business need to do so or written authorization from the patient(s). Findings: USE IF INTAKE IS AN ERI: On July 24, 2020, the facility Registered Nurse (RN1) reported a potential breach of confidential medical information to the California Department of Public Health (CDPH). The incident occurred from February 2016 to August 2019 and was detected by the Facility on July 2, 2020. INVESTIGATION FINDINGS: On August 22, 2022, Surveyor contacted Director of Regulatory Affairs (DRA1) and confirmed DRA1 was the appropriate facility contact. Surveyor sent a secure email to DRA1 to confirm DRA1’s ability to receive emails from Surveyor. DRA1 confirmed being able to receive emails from Surveyor. On August 23, 2022, Surveyor sent DRA1 a secure email with the document request letter attached. DRA1 confirmed the email was received. On September 5, 2022, DRA1 provided Surveyor with the documents requested. The documents provided included the Confidential Privacy Breach Report dated July 21, 2020, screen shots of the pictures posted by VOL1, a written attestation from VOL1, Patient/Resident Freedom from Abuse on Social Media policy, Staff Use of Personal Recording Devices/Cell Phones policy, an email thread from Former Privacy Officer (FPO1) and VOL1, and copies of the notification letters sent to the involved parties. On September 6, 2022, Surveyor conducted a record review of the documents provided by DRA1. The Confidential Privacy Breach Report stated VOL1’s Instagram account contained approximately 3,600 pictures and videos of which approximately 150 pictures and eight videos were taken at the facility. The 15 pictures contained possible residents with identifying features at the time of detection. Of the 15 pictures, there were 13 possible people that may have been residents. The pictures were taken from February 2016 to August 2019 with the dates of the pictures taken going back to 2014. The facility was able to identify the seven patients, VIS1, and possibly ORP1. Five pictures were clearly identifiable based on the angle of the face. The remaining pictures were either taken from the side, behind, or included patient names. Two of the pictures were taken from behind and included patient wristbands. Three pictures included the residents first name in the pictures caption. VOL1’s Instagram account was reviewed for all facility locations and based on the review; the facility believes it is an isolated instance to VOL1’s account. The facility also searched hashtags associated with VOL1’s account. A hashtag is used to categorize content and enable accounts to be seen by more people. The review did not detect any other social media accounts associated with the hashtags. Nursing leadership was brought in and could only identify residents in 9 of the 15 pictures. VOL1 was notified on July 13, 2020, and asked about the pictures. VOL1 provided an attestation to deleting all PHI. VOL1 said he obtained written consent for some of the pictures; however, there is no consent in the resident’s medical record. On July 15, the facility verified the 12 pictures were deleted by reviewing VOL1’s account again. A second review found four additional pictures which were deleted on July 20, 2020. Surveyor reviewed the document containing screenshots of the Instagram posts. Pages 11 to 27 contained the screenshots of the pictures and captions/comments posted by VOL1. No patient identifiers or patient medical information (PMI) could be discerned. Pages 17 and 27 contained a side profile of individuals with no PMI. Page 15 contained an image of a male with a first name in the caption, but no PMI. Pages 25 and 26 contained images of a male wearing reflective sunglass but no PMI. VOL1’s written attestation was dated July 13, 2020, and in the document VOL1 attests to properly deleting the electronic PMI from any electronic device (computer, laptops, smartphones, tablets, flashdrives, etc.) The Patient/Resident Freedom from Abuse on Social Media policy stated, “Taking photographs or recordings of a patient and/or resident and/or his/her private space without the patient’s, resident’s, or designated representative’s written consent, is a violation of the individual’s right to privacy and confidentiality.” The purpose of the policy is to support the effective and responsible use of social media, protect the privacy and dignity of facility patients, and staff and to ensure compliance with HIPAA and state privacy regulations. For the purpose of the policy, facility staff included employees, consultants, contractors, volunteers, and other caregivers. The Staff Use of Personal Recording Devices/Cell Phones policy stated no staff may use a personal recording device to create a recording of any patient at the facility regardless of whether the patient gives consent. The email thread from Former Privacy Officer (FPO1) and VOL1 showed the dialogue between FPO1 and VOL1 regarding the pictures. FPO1 Reached out VOL1 and asked for the images to be deleted. VOL1 unaware he violated any privacy protections and deleted the images in question. On November 18, 2022, Surveyor interviewed Privacy Officer (PO1) DRA1 via TEAMS while RN2 satin on the interview. PO1 and DRA1 confirmed the Confidential Privacy Breach Report was accurate. Volunteers are required to go through privacy training prior to being able to volunteer at the facility. VOL1 was contacted and provided written attestation of the deletion of the pictures. VOL1 has not volunteered at the facility since being contacted and asked to delete the pictures. Surveyor was unable to contact VIS1 as the facility did not have contact information for VIS1. The facility was able to contact VOL1 through VOL1’s website. Surveyor went to VOL1’s website in an attempt to contact VOL1, but the website was not functioning, and surveyor was unable to contact VOL1. CONCLUSION: Based on interviews and record reviews, the facility failed to prevent unlawful or unauthorized access to, and use or disclosure of, patient(s) (PT1–PT7’s), Outpatient Rehabilitation Patient (ORP1’s), and Visitor1 (VIS1’s) information, when Volunteer (VOL1) took and posted pictures to his Instagram (social media) account while volunteering at the facility, without a business need to do so or written authorization from the patient(s).

Reading this as a family member? Your long-term care ombudsman is a free advocate for residents and families.

Back to top

Citations

No citations recorded on this visit

The surveyor cited no deficiencies during this survey.

FAQ · About this visit

Common questions about this visit

What happened during the December 5, 2023 survey of LAGUNA HONDA HOSPITAL & REHABILITATION CTR?

This was a other survey of LAGUNA HONDA HOSPITAL & REHABILITATION CTR on December 5, 2023. The surveyor cited no deficiencies.

Were any deficiencies cited at LAGUNA HONDA HOSPITAL & REHABILITATION CTR on December 5, 2023?

No deficiencies were cited during this survey.

What type of survey was this?

This was a other survey conducted by state surveyors under federal Centers for Medicare & Medicaid Services (CMS) oversight. Findings are published on CMS Care Compare.

Share this reportEmail

Next steps

Concerned about a resident’s care?Find your local ombudsman through the Eldercare Locatoror file a complaint with your state survey agency.

Researching this visit professionally?Book a 15-minute calland we will walk through what we have on file.

Data from CMS Care Compare public records. Dataset last refreshed . If you believe any information is inaccurate, report it here.