Health inspection·May 14, 2025

F 0583 Level of Harm - Minimal harm or potential for actual harm Residents Affected - Many During an interview at 2:59 p.m., CNA 2 stated staff normally send out text messages via a messaging app (GMP) on their (facility staff) personal phone regarding resident's care. CNA 2 stated all the staff working at the facility were on the (messaging) thread. CNA 2 explained the messaging thread was used for staff to discuss care provided to the residents. During a concurrent observation and interview at 3:30 p.m., CNA 3 stated any issue the resident had was addressed or shared with the staff through text messaging via a group chat on their personal cell phone. CNA 3 explained the application was called (GMP). CNA 3 stated they used the app to communicate updates on the residents and residents care needs. CNA 3 stated all employees in the facility use the text message application including administrators. CNA 3 explained if there was something going on with the facility or residents they will report it on the message thread. Further review of the select text format communication via CNA 3's personal smart phone was as follows: Text to [facility name] PM [night] Shift group thread on Tuesday, 3/25/25: 1.From [facility staff]: PM who ever had [resident first and last name and room number redacted, Resident 4] yesterday complaining that he didn't get shower yesterday and no one offered him he's really disappointed . During a concurrent observation and interview on 5/13/24 at 3:36 p.m., LN 1 stated staff communicate regarding residents through the (GMP) on their personal phone. LN 1 stated the thread was just for licensed nurses. LN 1 explained CNAs have their own (GMP) group chat. LN 1 stated the app (application) does not require a password to access once her phone was opened. Further review of the select text format communication via LN 1's personal smart phone was as follows: Text to [facility name] Nurses Only group thread undated: 1.From [DON]: Hi team, I need some help [first and last name redacted, Resident 1] went out on pass yesterday 5/11/25. She returned at 19:40 [7:40 p.m.] But I need to know what time she went out? I don't see any documentation of her leaving OOP [out of place], just returning . 2. From [facility staff]: Hall 4 Nurse, [resident first and last name redacted, Resident 5] [medical doctor name, address and phone number redacted] .Appt [appointment] Dates 5/13/2025 Appt Time: 1:50 PM . During a phone interview on 5/13/25, at 4:00 p.m., the Social Services Assistant (SSA) stated staff communication regarding residents was performed through the (GMP) messaging thread. The SSA stated the facility uses the application for teams (facility staff) to communicate and for follow-up of resident's care. The SSA stated there was a management thread and she thought there was a separate thread for CNAs and LNs. The SSA stated she had used the application to communicate for the last three years. During an interview on 5/14/25, at 11:30 a.m., with CNA 5, she stated she was added to the facility's (GMP) and group chats when she was first hired. CNA 5 stated the (GMP) was located on her personal phone and was used for nursing staff. CNA 5 stated the facility uses the (GMP) to communicate information everyone needs to know all at once. CNA 5 stated information communicated could include resident names and room numbers. Further review of the select text format communication via CNA 5's personal smart phone was as (continued on next page) FORM CMS-2567 (02/99) Previous Versions Obsolete Event ID: Facility ID: 555496 If continuation sheet Page 2 of 5 Printed: 05/15/2026 Form Approved OMB No. 0938-0391 Department of Health & Human Services Centers for Medicare & Medicaid Services STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION (X1) PROVIDER/SUPPLIER/CLIA IDENTIFICATION NUMBER: (X2) MULTIPLE CONSTRUCTION 555496 B. Wing A. Building (X3) DATE SURVEY COMPLETED 05/14/2025 NAME OF PROVIDER OR SUPPLIER STREET ADDRESS, CITY, STATE, ZIP CODE Riverwood Health Care 5320 Carrington Circle Stockton, CA 95210 For information on the nursing home's plan to correct this deficiency, please contact the nursing home or the state survey agency. (X4) ID PREFIX TAG SUMMARY STATEMENT OF DEFICIENCIES (Each deficiency must be preceded by full regulatory or LSC identifying information)

F 0583 follows: Level of Harm - Minimal harm or potential for actual harm Text to [facility name] CNA/RNA group thread undated: Residents Affected - Many 1. From [facility staff]: Hey team! Mr. [last name redacted, Resident 11] colostomy bags [waste/feces collection in a pouch (or colostomy bag) on the outside of your belly] came in. He has a clip to close his bag . 2. From [facility staff], NO BM [bowel movement] 3d [days]: 5/14 [first and last name redacted, Resident 6] 5/14 [first and last name redacted, Resident 7] 5/14 [first and last name redacted, Resident 8] 5/14 [first and last name redacted, Resident 9] 5/1 [first and last name redacted, Resident 10] If no BM for the patient above in your shift, please kindly do stop & [and] watch and inform your assigned LN. [NAME] [thank you] . During an interview on 5/14/25, at 11:41 a.m., CNA 4 stated she has the (GMP) on her personal phone. CNA 4 stated the (GMP) was used to communicate resident names who had not had bowel movements in so many days or if a resident needed a shower. CNA 4 stated the (GMP) was started about a year ago or longer. The CNA stated she thought it was a secure (phone) application because staff like the DON, Director of Staff Development (DSD), and the Administrator (ADM) have access to it. Further review of the select text format communication via CNA 4's personal smart phone was as follows: Text to [facility name] CNA/RNA group thread undated: 1. From [facility staff], NO BM [bowel movement] 3d [days]: 5/12 [first and last name redacted, Resident 12] 5/11 [last name redacted, Resident 13] If no BM for the patient above in your shift, please kindly do stop & watch and inform your assigned LN. [NAME] . During an interview on 5/14/25, at 11:50 a.m., LN 3 stated upon hire the expectation was she add the (GMP) to her personal phone, but she refused to add it. LN 3 stated she refused the (GMP) because she felt it was a HIPPA issue . LN 3 stated when she was questioned by facility staff regarding the (GMP) not being on her personal phone she would tell administration and other staff that she did not have her phone with her. (continued on next page) FORM CMS-2567 (02/99) Previous Versions Obsolete Event ID: Facility ID: 555496 If continuation sheet Page 3 of 5 Printed: 05/15/2026 Form Approved OMB No. 0938-0391 Department of Health & Human Services Centers for Medicare & Medicaid Services STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION (X1) PROVIDER/SUPPLIER/CLIA IDENTIFICATION NUMBER: (X2) MULTIPLE CONSTRUCTION 555496 B. Wing A. Building (X3) DATE SURVEY COMPLETED 05/14/2025 NAME OF PROVIDER OR SUPPLIER STREET ADDRESS, CITY, STATE, ZIP CODE Riverwood Health Care 5320 Carrington Circle Stockton, CA 95210 For information on the nursing home's plan to correct this deficiency, please contact the nursing home or the state survey agency. (X4) ID PREFIX TAG SUMMARY STATEMENT OF DEFICIENCIES (Each deficiency must be preceded by full regulatory or LSC identifying information)

F 0583 Level of Harm - Minimal harm or potential for actual harm Residents Affected - Many During an interview on 5/14/25, at 12:49 p.m., the DON stated staff including LNs and CNAs communicate through the (GMP) on their personal phone. The DON explained there were different messaging threads for nursing staff and CNAs. The DON further explained the facility used the (GMP) for staff scheduling, updates on in-services (staff education and training), and for communicating resident care. The DON stated medical information related to resident care was communicated through the (GMP). The DON acknowledged staff communicated resident identifiers, such as resident names and resident room number when using the (GMP). The DON stated sharing resident medical information on staff personal phones was a potential HIPPA violation. The DON acknowledged she could not keep track of individuals who were not employees having access to the application (GMP) on staff member's personal phone. The DON stated staff or individuals who are not involved in the care of the residents should not have access to the residents' medical information. The DON stated the risk to the residents if their medical information was accessed by others not providing direct care was the residents medical information would not be private. During an interview on 5/14/25, at 2:28 p.m., the ADM stated he was not sure what the facility's policy was for electronic communication. The ADM stated his expectation regarding HIPPA and resident personal and medical information was that it was on a need-to-know basis and can be shared amongst staff as required through communication. The ADM stated staff avoid personal cell phone texting regarding resident medical information and use (GMP) to communicate private resident information and medical information amongst staff. The ADM stated the (GMP) was an end-to end-secured software. The ADM further stated even though the messaging application was encrypted, if an individual gets into the device (cell phone) then anyone would have access to the information on the (GMP). The ADM stated employees were using the (GMP) to share information regarding resident care. The ADM acknowledged specific resident identifiers such as names and rooms number were disclosed in the message thread (GMP). The ADM acknowledged he did not have any control of who 'has' access to the employee's personal cell phone. The ADM further stated employees were not required to report to administration the status of their personal cell phone such as if it becomes lost or stolen. The ADM acknowledged once an individual gained access to an employee's cell phone, the application could be opened without a password and was not secure. The ADM stated the problem with the (GMP) could be if anyone other than an employee saw resident's confidential information on the phone it would be a HIPPA issue, and resident's PHI could be exposed. The ADM stated it was concerning but the facility was trying to avoid private text messages when communicating information related to resident care. Review of facility policy and procedure (P & P) titled, Protected Health Information (PHI), Management and Protection, revised 4/2014, indicated, .Protected Health Information shall not be used or disclosed except as permitted by current federal and state laws .It is the responsibility of all personnel who have access to resident and facility information to ensure that such information is managed and protected to prevent unauthorized release or disclosure .Each resident will be given a Privacy Notice outlining the uses and disclosures of PHI that may be made and notifying him/her of his/her rights and our legal duties with respect to PHI .Protected Health Information (PHI) may or shall be disclosed as follows .To the resident .pursuant to and incompliance with current and valid authorization .As may be otherwise permitted under current HIPAA privacy regulations . Review of facility P & P titled, Resident Rights, revised 12/2016, indicated, .Employees shall treat all residents with kindness, respect, and dignity .Federal and state laws guarantee certain basic rights to all residents of the facility. These rights include the resident's rights to .a dignified existence .privacy and confidentiality .The unauthorized release, access, or disclosure of resident information must be in accordance with current laws governing privacy of information issues. All inquiries concerning the (continued on next page) FORM CMS-2567 (02/99) Previous Versions Obsolete Event ID: Facility ID: 555496 If continuation sheet Page 4 of 5 Printed: 05/15/2026 Form Approved OMB No. 0938-0391 Department of Health & Human Services Centers for Medicare & Medicaid Services STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION (X1) PROVIDER/SUPPLIER/CLIA IDENTIFICATION NUMBER: (X2) MULTIPLE CONSTRUCTION 555496 B. Wing A. Building (X3) DATE SURVEY COMPLETED 05/14/2025 NAME OF PROVIDER OR SUPPLIER STREET ADDRESS, CITY, STATE, ZIP CODE Riverwood Health Care 5320 Carrington Circle Stockton, CA 95210 For information on the nursing home's plan to correct this deficiency, please contact the nursing home or the state survey agency. (X4) ID PREFIX TAG SUMMARY STATEMENT OF DEFICIENCIES (Each deficiency must be preceded by full regulatory or LSC identifying information)

F 0583 release of resident information should be directed to the HIPAA Compliance Officer . Level of Harm - Minimal harm or potential for actual harm Review of an online article posted by the HIPAA Journal titled Is [GMP facility used] HIPAA Compliant?, dated 9/12/23, last accessed on 6/23/25, indicated, .[GMP] is not HIPAA compliant and should not be used for receiving, storing, or sending Protected Health Information (PHI) . the platform should not be used to communicate PHI because it lacks the capabilities to support compliance with the HIPAA Security Rule . there are no capabilities to terminate an individual's access to PHI stored on their device, monitor logins, or support emergency access to PHI if the account owner is unavailable. The article further indicated [GMP] will not enter into an Agreement, and notes in its Business Terms We make no representations or warranties that our services meet the needs of entities regulated by laws and regulations with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities . Even though all messages are encrypted, WhatsApp is not HIPAA compliant because it lacks other capabilities covered entities and business associates need to comply with the HIPAA Security Rule. It is important to note encryption alone does not make any software HIPAA compliant. The capabilities of the software, how they are configured, and how they are used determines compliance . Residents Affected - Many (https://www.hipaajournal.com/whatsapp-hipaa-compliant/) FORM CMS-2567 (02/99) Previous Versions Obsolete Event ID: Facility ID: 555496 If continuation sheet Page 5 of 5