Health inspection·March 25, 2025

42 FR §483.20 (f)(5) Resident-identifiable information (i)A facility may not release information that is resident-identifiable to the public. (ii)The facility may release information that is resident-identifiable to an agent only in accordance with a contract under which the agent agrees not to use or disclose the information except to the extent the facility itself is permitted to do so. 42 FR §483.70 (h)(2) The facility must keep confidential all information contained in the resident’s records, regardless of the form or storage method of the records, except when release is— (i)To the individual, or their representative where permitted by applicable law; (ii)Required by Law; (iii)For treatment health activities, reporting of abuse, neglect or domestic violence, health oversight activities, judicial and administrative proceedings, law enforcement purposes, organ donation purposes, research purposes or to coroners, medical examiners, funeral directors and to avert a serious threat to health or safety as permitted by and in compliance with 45 CFR 164.512. 42 FR §483.70 (h)(3) The facility must safeguard medical record information against loss, destruction, or unauthorized use. 22 CR § 72543 Patients’ Health Records (b)Information contained in the health records shall be confidential and shall be disclosed only to authorized personas in accordance with federal, state and local laws. On 1/27/2025 the California Department of Public Health (CDPH) received a complaint indicating Resident 1’s Responsible Party (RP-someone who is available to make decisions for the resident as necessary) received an email by mistake (from the facility). On 2/6/2025, the CDPH conducted an unannounced visit at the facility to investigate the allegation. The facility failed to: 1.Ensure identifiable information for Residents 4, 5 and 6, were not sent to an unauthorized person (RP 1) This failure violated Resident 4, 5 and 6’s right to privacy and had the potential to result in the public obtaining access to confidential (private) information regarding the resident’s medical conditions and treatments without their consents. Resident 1 was a 76-year-old female, originally admitted to the facility on 10/30/2023 and readmitted on 12/26/2024. Resident 1’s diagnoses included metabolic encephalopathy (disorder that affects brain function) and acute respiratory failure (ARF-a life-threatening condition characterized by the sudden and severe inability of the lungs to exchange oxygen and carbon dioxide between the blood and the atmosphere) with hypoxia (a condition where there is not enough supply of oxygen to the body tissues). A review of Resident 1’s Minimum Data Set (MDS- a resident assessment tool) dated 1/10/2025, indicated Resident 1 was cognitively intact (having the ability to think, remember and solve problems). The MDS indicated Resident 1 required partial/moderate assistance (staff does less than half the effort) for Activities of Daily Living (ADLs) such as eating, showering/bathing and lower body dressing. During an interview on 2/6/2025 at 12:56 p.m. with Resident 1’s RP (RP 1), RP 1 stated, she had received an email from the facility (sent by the Director of Nursing [DON] on 1/27/2025) which included information regarding other residents (Resident 4, 5 and 6). RP 1stated the email was also sent to about 12 other recipients (including Medical Records (MR) and Administrator (ADM). Resident 4 was a 68-year-old male, originally admitted to the facility on 10/14/2016 and readmitted on 6/20/2022. Resident 4’s diagnoses included hemiplegia (total paralysis of the arm, leg, and trunk on the same side of the body) and hemiparesis (muscle weakness affecting one side of the body) following a cerebral infarction (occurs when blood flow to the brain is blocked) affecting the right dominant side. A review of Resident 4’s MDS dated 1/3/2025, indicated Resident 4 was cognitively intact. The MDS indicated Resident 4 was dependent on staff for ADLs such as eating, toileting, hygiene, and lower body dressing. Resident 5 was a 51-year-old male, originally admitted to the facility on 10/7/2022 and readmitted on 8/25/2024. Resident 5’s diagnoses included heart failure (a heart disorder which causes the heart not to pump blood efficiently) and end stage renal disease (ESRD-irreversible kidney failure). A review of Resident 5’s MDS dated 1/1/2025, indicated Resident 5 was cognitively intact. The MDS indicated Resident 5 required supervision or touching assistance (staff provides verbal cues and/or touching/steadying and/or contact guard assistance as resident completes activity) for ADLs such as showering/bathing and personal hygiene. Resident 6 was a 52-year-old male, originally admitted to the facility on 8/23/2023 and readmitted on 5/23/2024. Resident 6’s diagnoses included ESRD and ARF with hypoxia. A review of Resident 6’s MDS dated 11/13/2024, the MDS indicated Resident 6 was cognitively intact. The MDS indicated Resident 6 required supervision or touching assistance from staff for ADLs such as toileting hygiene, putting on/taking off footwear and personal hygiene. During a concurrent record review and interview on 2/7/2025 at 11:16 a.m., an email sent by the DON to RP 1 on 1/27/2025 was reviewed. The DON stated the email was intended for the facility’s department heads however, the DON had accidentally included RP 1 on the email who had a similar name as the Dietary Supervisor (DS). The DON stated the incident should not have happened because the email contained resident identifiable information and as a result, violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA-federal standards protecting sensitive health information from disclosure without patient’s [resident’s] consent) A review of the facility’s P&P titled, “Data Breach Incident Policy,” dated 12/2016, indicated “it is the policy of this facility to protect the privacy and security of Patient Healthcare Information (PHI) in compliance with applicable Federal and State law, as well as with Munson policies and procedures.” The P&P indicated it is the facility’s policy to foster a culture of respect for resident privacy and to prevent PHI from being compromised.” The facility failed to: 1.Ensure identifiable information for Residents 4, 5 and 6 were not sent to an unauthorized person (RP 1) This failure violated Resident 4, 5 and 6’s right to privacy and had the potential to result in the public obtaining access to confidential information regarding the resident’s medical conditions and treatments without their consents. This violation had a direct or immediate relationship to the health, safety, or security of residents.