Other·December 5, 2023

§ 72521. Administrative Policies and Procedures: 72521(c)(4)(B) (c) Each facility shall establish at least the following: (1) Personnel policies and procedures which shall include: (A) Written job descriptions detailing qualifications, duties and limitations of each classification of employee available to all personnel. (B) Employee orientation to facility, job, patient population, policies, procedures and staff. (C) Staff Development. (D) Employee benefits. (E) Employee health and grooming. (F) Verification of licensure, credentials and references. (4) Written policies and procedures governing patient health records which shall be developed with the assistance of a person skilled in record maintenance and preservation. (B) Policies and procedures shall be established to ensure the confidentiality of patient health information, in accordance with applicable laws and regulations. § 72527. Patients' Rights. 72527(a)(11)(12) (a) Patients have the rights enumerated in this section and the facility shall ensure that these rights are not violated. The facility shall establish and implement written policies and procedures which include these rights and shall make a copy of these policies available to the patient and to any representative of the patient. The policies shall be accessible to the public upon request. Patients shall have the right: (11)To be assured confidential treatment of financial and health records and to approve or refuse their release, except as authorized by law. (12) To be treated with consideration, respect and full recognition of dignity and individuality, including privacy in treatment and in care of personal needs. § 72543. Patients' Health Records: 72543(b) (b)Information contained in the health records shall be confidential and shall be disclosed only to authorized persons in accordance with federal, state and local laws. F583 §483.10(h) Privacy and Confidentiality. The resident has a right to personal privacy and confidentiality of his or her personal and medical records. §483.10(h)(l) Personal privacy includes accommodations, medical treatment, written and telephone communications, personal care, visits, and meetings of family and resident groups, but this does not require the facility to provide a private room for each resident. §483.10(h)(2) The facility must respect the residents right to personal privacy, including the right to privacy in his or her oral (that is, spoken), written, and electronic communications, including the right to send and promptly receive unopened mail and other letters, packages and other materials delivered to the facility for the resident, including those delivered through a means other than a postal service. §483.10(h)(3) The resident has a right to secure and confidential personal and medical records. (i) The resident has the right to refuse the release of personal and medical records except as provided at §483.70(i)(2) or other applicable federal or state laws. (ii) The facility must allow representatives of the Office of the State Long-Term Care Ombudsman to examine a resident's medical, social, and administrative records in accordance with State law. On 10/24/23 at 12:40 PM the Department of Public Health conducted an unannounced visit at the facility, to investigate a facility reported incident regarding allegations of patient rights for Patient 1, an 86 year old male who had a diagnosis of diagnoses of dysphagia (difficulty swallowing), dementia (a group of thinking and social symptoms that interferes with daily functioning), diabetes (a group of diseases that result in too much sugar in the blood), and functional quadriplegia (complete inability to move due to severe disability or frailty), and Patient 2, a 92 year old male who had a diagnosis of dysphagia (difficulty swallowing), history of falling, hearing loss, and rhabdomyolysis (a breakdown of muscle tissue that releases a damaging protein into the blood). The facility failed to implement its policy on “HIPAA Privacy and Security Operational Policy and Procedure” to protect patients private and confidential information. As a result, Patient 2’s family member received Patient 1’s medical records during discharge to home on 8/28/23, and Patient 2’s medical record was provided to emergency services on 8/28/23 for Patient 1 who was being transferred to the acute hospital. This failure resulted in the potential to negatively impact Patient 1 and 2’s rights to privacy and unauthorized access of others to Patient 1’s confidential records. Findings: A review of Patient 1’s Admission Record indicated the patient was admitted to the facility on 7/23/2022 and readmitted on 9/4/2023 with diagnoses of dysphagia (difficulty swallowing), dementia (a group of thinking and social symptoms that interferes with daily functioning), diabetes (a group of diseases that result in too much sugar in the blood), and functional quadriplegia (complete inability to move due to severe disability or frailty). A review of Patient 1’s Minimum Data Set (MDS - a standardized assessment and screening tool) dated 7/27/2023, indicated the patient had severely impaired cognitive (mental action or process of acquiring knowledge and understanding) skills for daily decision-making. The MDS indicated the patient required extensive assistance with staff for activities of daily living (ADLs, term used in healthcare to refer to daily self-care activities) such as bed mobility, transfers, eating, personal hygiene, and toilet use. The MDS indicated Patient 1 could not walk. A review of a facility document titled “Nursing Home to Hospital Transfer Form” dated 8/28/2023, indicated Patient 1 was transferred to the acute hospital for a change of condition that included lethargy. A review of Patient 2’s Order Summary Report, dated 8/26/2023, indicated the Patient 1’s full name, date of birth, diagnoses and list of medications the patient was prescribed. A review of Patient 2’s Admission Record indicated that the patient was admitted to the facility on 8/11/2023 with diagnoses of, but not limited to, dysphagia (difficulty swallowing), history of falling, hearing loss, and rhabdomyolysis (a breakdown of muscle tissue that releases a damaging protein into the blood). A review of Patient 2’s Minimum Data Set (MDS - a standardized assessment and screening tool) dated 8/17/2023, indicated the patient had intact cognitive (mental action or process of acquiring knowledge and understanding) skills for daily decision-making. The MDS indicated the patient required limited to extensive assistance on staff for activities of daily living (ADLs - term used in healthcare to refer to daily self-care activities). The MDS indicated Patient 1 required extensive assistance with one person for bed mobility, transfers (moving from one surface to another, i.e. bed to chair), toileting, dressing, personal hygiene, locomotion on the unit (movement around the facility), locomotion off the unit (movement when not in the facility. A review of Patient 2’s Discharge Summary and Post-Discharge Plan of Care dated 8/28/2023, indicated that Patient 2 was discharged to home. During an interview on 10/24/2023 at 12:50 pm, the Director of Nurses (DON) stated that on 8/28/2023, there were two patients that were leaving the facility at around the same time. The DON stated that Patient 1 had a change of condition and was being transferred to the acute hospital for further evaluation, while Patient 2 was being discharged to home with family. The DON stated when Patient 2 was discharged home, Patient 1’s discharge paperwork was accidentally given by the licensed nurse to Patient 2’s family. During an interview on 10/24/2023 at 2:40 pm, the Administrator (ADM) stated that two patients were leaving the facility at around the same time, on 8/28/2023. The ADM stated Patient 1 was leaving the facility via 911 emergency services to the acute hospital and Patient 2 was going home with family. The ADM stated Patient 2 accidentally received Patient 1’s medication list, which included Patient 1’s full name, date of birth, diagnoses and medications prescribed. The ADM stated the facility became aware of the breach when a third party that conducts satisfaction interviews for the facility reported to the facility. that during the satisfaction interviews Patient 2’s family disclosed they received records with information that was not for Patient 2. The ADM stated she retrieved the documents from Patient 2’s family and notified the family of Patient 1. During an interview on 10/24/2023 at 3:15 pm, of Family 1 (Patient 1’s family), Family 1 stated she was informed that Patient 1’s private information had been accidentally given to Family 2 (Patient 2’s family). During an interview on 10/24/2023 at 3:30 pm, Licensed Vocational Nurse (LVN 1) stated another licensed vocational nurse (LVN2) was discharging Patient 2 and Patient 1 on 8/28/2023, at the same time. LVN 1 stated that he offered to assist LVN 2, so he helped discharge Patient 2. LVN 1 stated he gave the family of Patient 2 a file of discharge documents, which he later found out, when the breach was reported to the facility by the survey company, contained personal information (the physicians order summary form) of Patient 1. LVN 1 stated he should have double checked the paperwork before handing the records out to Patient 2. LVN 1 stated it was important to protect the privacy and personal information of all patients. LVN 1 stated that patients could be at risk for identity theft. During an interview and concurrent record review on 10/25/2023 at 1 pm of Patient 1’s Order Summary Report dated 8/26/2023, the DON stated the file of documents accidentally given to Patient 2’s family contained Patient 1’s Order Summary form (includes personal information, including full name, date of birth, diagnoses and medications prescribed.) The DON stated the breach of privacy might result in using the other person’s private information for the wrong reasons as well as the potential for the patient and/or family to feel uncomfortable. The DON stated the paperwork should have been double checked by the LVNs prior to handing it out to both patients (Patients 1 and 2) on 8/28/2023. The DON stated that it was the facility’s responsibility to protect the patient’s private information. A review of the facility’s undated policy titled, “HIPAA Privacy and Security Operational Policy and Procedure,” indicated that, “HIPAA Privacy rule creates national standards to protect a patient’s medical record and other personal health information. As healthcare providers we use and disclose sensitive individually identifiable information daily and it is our duty to protect that information.” The facility failed to implement its policy on “HIPAA Privacy and Security Operational Policy and Procedure” to protect patients private and confidential information. As a result, Patient 2’s family member received Patient 1’s medical records during discharge to home on 8/28/23, and Patient 2’s medical record was provided to emergency services on 8/28/23 for Patient 1 who was being transferred to the acute hospital. This violation had a direct relationship to the health, safety, and security of Patient 1 and Patient 2, and all patients residing in the facility.