Health inspection·August 23, 2022

Initial Comments The following reflects the findings of the California Department of Public Health (CDPH) during an investigation of an entity reported incident or complaint. ACTS Intake Number: CA00518187 Substantiated The investigation was limited to the specific events reported and does not represent the findings of a full inspection of the facility. Representing the California Department of Public Health: Surveyor#: 41148 Health and Safety Code 1280.15(a) "A clinic, health facility, home health agency, or hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall prevent unlawful or unauthorized access to, and use or disclosure of, patients medical information, as defined in Section 56.05 of the Civil Code and consistent with Section 1280.18. For purposes of this section, internal paper records, electronic mail, or facsimile transmissions inadvertently misdirected within the same facility or health care system within the course of coordinating care or delivering services shall not constitute unauthorized access to, or use or disclosure of, a patient s medical information. The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patient s medical information. For purposes of the investigation, the department shall consider the clinic s, health facility s, agency s, or hospice s history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility s ability to comply with this section. The department shall have full discretion to consider all factors when determining whether to investigate and the amount of an administrative penalty, if any, pursuant to this section." This Statute is not met as evidenced by: Based on interviews and record reviews, the facility failed to prevent unlawful and/or unauthorized access to, and use or disclosure of, patient’s (PT1’s) medical information, when Registered Nurse (RN1) accessed PT1’s medical information from a separate facility within the facility’s network, without a business need to do so or written authorization from PT1. Findings: On January 13, 2017, the facility reported a potential breach of confidential medical information to the California Department of Public Health (CDPH). The incident, which the facility detected on January 9, 2017, occurred on January 3, 2017, and was reported to the facility by the Director of Nursing (DON1). On May 17, 2019, Privacy Officer (PO1) provided the facility's undated investigation summary, Patient Privacy and Confidentiality of Protected Health Information policy, and the notification letter sent to PT1. On May 17, 2019, Surveyor reviewed the documents provided by PO1 with PO1. The facility's investigation summary stated DON1 reported the incident on January 9, 2017. DON1 reported RN1 disclosed medical information about PT1 on January 3, 2017. The Patient Privacy and Confidentiality of Protected Health Information policy created January 22, 2016, stated, "It is the policy of the facility to comply with and oversee all requirements of state and federal laws and regulations respecting patient privacy, including those requirements that pertain to use or disclosure of Protected Health Information (PHI)." In regards to access to relatives PHI, the policy stated, "Access to a relatives medical records is a violation of the patient's privacy. Employees are required to follow the same processes, designed to safe guard PHI, as all other patients and unauthorized designees of patients." On January 18, 2017, the facility sent PT1 a notification letter regarding the incident. On May 22, 2019, Privacy Officer (PO1) provided a copy of RN1's informal corrective action and the Workforce Access to Own Protected Health Information (PHI)-Systemwide policy. On May 22, 2019, Surveyor reviewed the documents submitted by PO1. On January 27, 2017, RN1's informal corrective action indicated she received a written warring for the failure of an employee to follow instruction of a supervisor or follow a policy or procedure, specifically, failure to follow policy of accessing the medical information of patients not assigned to RN1. The Workforce Access to Own Protected Health Information (PHI)-Systemwide policy dated January 21, 2018, stated a workforce member’s access to his or her own protected health information is treated in the same manner as that of a patient. On May 17, 2019, Surveyor A interviewed PO1 at the facility. PO1 stated RN1 admitted to accessing PT1' medical records to DON1, and there was no record of an access audit being conducted. Access audits had to be done manually in the computer system at the time of incident. PO1 stated the prior privacy officer noted the access was "confirmed," and suspected it was confirmed via an audit. RN1 accessed PT1's medical records from the facility while PT1 was located at a separate facility within the same facility network. PO1 confirmed RN1 could have accessed PT1's medical records due to the facilities using the same computer system. At the time of incident, there were no prompts prior to entering a patient’s medical record that may have been outside of a user’s scope. DON1 reported RN1 shared she accessed PT1's medical information, and did so for non-work related reasons. The facility has record of RN1 completing a Code of Conduct policy in addition to multiple IT polices; however, RN1 did not received training on Patient Privacy and Confidentiality of Protected Health Information and Workforce Access to Own Protected Health Information. RN1 did not have authorization or a business need to access PT1's medical information. On May 17, 2019, Surveyor A interviewed Analyst1 at the facility. Analsyt1 interviewed RN1 regarding the incident. RN1 stated she received a personal phone call informing RN1 about PT1's health condition and location. RN1 admitted she accessed PT1's medical information to check on PT1. PT1 was not a patient in the facility at the time of incident, and was located at a separate facility within the same facility network. RN1 understood she should not have accessed PT1's medical information. There was no record of RN1 taking or being assigned the Patient Privacy and Confidentiality of Protected Health Information policy or Workforce Access to Own Protected Health Information. RN1 had access to PT1's medical information since the two facilities shared the same computer network. Analyst1 could not recall if there was anything warning or system safeguard preventing RN1 from accessing PT1's medical records. On May 17, 2019, Surveyor A interviewed DON1 at the facility. DON1 stated RN1 told her about PT1 through casual conversation. RN1 stated PT1 had medical issues and her family was concerned. DON1 asked what happened, and RN1 began to describe PT1's specific lab values and condition. DON1 asked how RN1 knew PT1's information, and RN1 stated she accessed PT1's medical information. DON1 reminded RN1 about the facilities policies and stated RN1 should not have accessed PT1's medical information. RN1 did not have a business need or authorization to access PT1's medical information. RN1 did not sign the form stating she completed the Patient Privacy and Confidentiality of Protected Health Information policy or Workforce Access to Own Protected Health Information policy, but should have known better as a nurse. RN1 could not recall if there was anything warning or system safeguard preventing RN1 from accessing PT1's medical records at the time of incident. On May 17, 2019, Surveyor A interviewed RN1 at the facility. RN1 admitted she accessed PT1's medical information without a business need or authorization. RN1 stated she received a personal call informing her of PT1's medical situation, and was asked to look up PT1's information. RN1 agreed and accessed PT1's medical information. RN1 stated she believed she accessed PT1's emergency room notes, but could not recall. PT1's name, date of birth, medical condition, and treatment was listed in the medical information accessed. The computer system at the time of incident did not provide a policy preventing an individual from accessing their own or their relative’s medical information. RN1 could not recall receiving training regarding the access of an individual's or a relative’s medical information. Surveyor A attempted to contact PT1 multiple times, but PT1 has not responded to any contact attempts. CONCLUSION: Based on interviews and record reviews, facility failed to prevent unlawful and/or unauthorized access to, and use or disclosure of, PT1’s medical information. The breach occurred when RN1 Accessed PT1’s medical information from a separate facility within the facility’s facility network, without a business need to do so or written authorization from PT1.