Violation of Resident's Right to Confidentiality
Summary
The facility failed to ensure a resident's right to have his medical record kept private and confidential. The Business Office Manager (BOM) disclosed clinical information about Resident H's medical condition, treatment, and services to the resident's family without the resident's permission. This information was shared during a private meeting outside of the facility property. The BOM, who is not authorized to provide clinical information, shared details such as the lack of wound care and physical therapy notes, her opinion on the resident's mental capacity, and overheard conversations between a facility nurse and the resident's dialysis center. The Regional Nurse Consultant (RNC) and the Director of Nursing (DON) confirmed that the BOM's actions were outside her scope of practice and constituted a HIPAA violation, as the resident did not have a Power of Attorney (POA) and was listed as his own responsible party with normal cognitive function. Resident H, a long-term care resident with diagnoses including End Stage Renal Disease, Type 2 Diabetes, and Diabetic Neuropathy, was cognitively intact with a Brief Interview for Mental Status (BIMS) score of 15 out of 15. The facility's guidelines on resident rights and HIPAA privacy were not followed, as the BOM improperly shared confidential health information without the resident's consent. The facility's policies clearly state that only clinical staff are permitted to provide clinical information to residents or their POA, and any unauthorized sharing of health information is considered a violation of HIPAA regulations.
Penalty
Resources
Below are regulatory guidelines relevant to this citation:
A cognitively intact, fully dependent and always incontinent resident received incontinence care from a CNA in a shared room without the privacy curtain being drawn, despite the roommate being present. During the care, the resident’s genital area and buttocks were exposed while the CNA removed the adult brief and cleaned the resident. The resident later reported that staff sometimes forget to pull the curtain and that this exposure sometimes bothers him, and the CNA acknowledged not using the privacy curtain, contrary to facility policy on resident privacy during personal care.
A cognitively intact resident with Huntington’s disease and other conditions was participating in chair exercises when a CNA used a personal cellphone to record the resident lifting her leg above her head, without any signed photo release or consent from the resident’s POA. Two other CNAs watched the event and did not report it. Other staff later observed the CNAs laughing and viewing the image on the phone. Review of incident reports, staff statements, and the facility’s social media policy confirmed that the recording was taken in the work area using a personal device and that facility policy prohibits taking or sharing resident photos or videos without prior written permission.
A resident who was cognitively intact and required supervision with ADLs was discharged, and an LPN mistakenly sent that resident’s representative home with another resident’s medications and written discharge instructions, which included detailed information on multiple prescribed drugs for serious conditions such as cerebral infarction, seizures, and sepsis. The error was discovered at shift change when the night nurse could not locate the second resident’s medications in the cart. The administrator and DON confirmed that the wrong medications and paperwork had been provided, and the discharging resident’s representative later reported to police that they had received another resident’s private health information, although none of the incorrect medications were taken.
Surveyors found that during medication administration, two RNs repeatedly left an electronic medical record screen open and visible on the med cart while entering resident rooms, exposing protected health information (PHI). For multiple residents with complex conditions such as diabetes, CHF, dementia, cerebral palsy, acute kidney failure, depression, and urinary issues, the EMR displayed names, room numbers, diagnoses, and medications and was not locked or secured. Both RNs confirmed in interviews that they did not lock the computer screens before leaving the cart, resulting in PHI being viewable to anyone passing by.
An unattended medication cart laptop at the nurses’ station was left open to a cognitively intact resident’s electronic record, displaying PHI including the resident’s photo, name, gender, room number, date of birth, code status, allergies, and recent vital signs. The cart and laptop were unattended in a common area, allowing anyone passing by to view the information. An LPN confirmed the laptop was left open with visible PHI, despite a facility policy assigning staff responsibility to prevent unauthorized disclosure of PHI.
Staff failed to protect resident health information privacy by discussing medical conditions and treatment plans in public areas. A nurse practitioner and an RN discussed one resident’s medications in a hallway and assessed another resident’s ankle pain and new medication orders at a table in an activities room while other residents were present, without seeking the resident’s preference or moving to a private area. During a meal, a speech therapist questioned a resident with cognitive issues about a recent doctor’s appointment in a crowded dining room and then loudly asked an LPN across the room for details, prompting the LPN to describe the appointment within earshot of other residents and visitors, contrary to the facility’s privacy policy.
Failure to Ensure Privacy During Incontinence Care
Penalty
Summary
The deficiency involves a failure to maintain privacy during incontinence care for Resident #3. The resident was admitted with multiple diagnoses including lung disease, heart failure, diabetes, anxiety, gastric reflux, hypertension, arthritis, and a gastric bleed. A quarterly MDS assessment dated 01/14/26 documented that the resident was cognitively intact, dependent on staff for personal hygiene, toileting, bathing, dressing, transfer, and mobility, and was always incontinent of bowel and bladder. Facility policy on Resident Rights stated that residents have the right to privacy and confidentiality, including personal privacy during personal care. On 03/25/26 at 8:58 A.M., a surveyor observed CNA #137 gather supplies and enter the double-occupancy room of Resident #3, closing the door while the resident’s roommate remained in the room in his wheelchair. Although a privacy curtain divided the room, the CNA did not draw the curtain at any time during the incontinence care. The CNA removed the resident’s adult brief, exposing his genital area for cleaning, and then had him roll to his left side toward the wall, which exposed his buttocks to his roommate while care continued. During an interview at 9:04 A.M. the same day, the resident stated that CNAs sometimes forget to pull the curtain during incontinence care and that it sometimes bothers him to be exposed to his roommate when present. CNA #137, present during the interview, acknowledged she had not pulled the privacy curtain.
Unauthorized Cellphone Recording of Resident Without Consent
Penalty
Summary
The facility failed to ensure the confidentiality and privacy of a resident’s personal and medical information when a CNA used a personal cellphone to record the resident without consent. The resident, admitted with diagnoses including Huntington’s disease, anxiety, and protein calorie malnutrition, was cognitively intact with a BIMS score of 13 and required one-person assistance with ADLs. During a chair exercise activity in the dining room, the CNA observed the resident lifting her leg above her head and took out her cellphone to take a picture/video of the resident. Two other CNAs stood nearby, watched the resident performing the exercises, and witnessed the recording being made but did not report it. The resident’s POA later confirmed that she had not given authorization for any photos or videos to be taken of the resident. Multiple staff interviews and document reviews corroborated that the recording occurred and that it involved the resident’s image being captured without prior authorization. The Activities Director and Business Office Manager both observed the three CNAs outside the dining room laughing and looking at a cellphone image of the resident with her leg pointed straight up. Review of the incident reports and staff statements confirmed that the recording was made on a personal cellphone in the work area. The Admissions Coordinator verified that there was no signed photo release authorization for the resident, and review of the facility’s Social Media Policy showed that employees are prohibited from using personal electronic devices in the work area without written approval and from taking or sharing resident photos or videos without prior written permission from the resident or authorized agent. Observation of the video by the Administrator and DON further confirmed that the resident had been recorded without authorization, constituting a breach of confidentiality and privacy.
Privacy Breach When Wrong Discharge Medications and Instructions Given to Another Resident
Penalty
Summary
The facility failed to ensure the privacy and confidentiality of a resident's health information when discharge medications and paperwork for one resident were mistakenly given to another resident's representative. Resident #70, who was cognitively intact and required supervision with ADLs, was discharged on 09/30/25. At discharge, LPN #142 accidentally provided Resident #70's representative with Resident #71's medications and written discharge instructions instead of Resident #70's. Resident #71 had been admitted with diagnoses including cerebral infarction, seizures, and sepsis and had active physician orders for multiple medications, including Norvasc, aspirin, Biotin, Cozaar, folic acid, Keppra, Lipitor, methotrexate, metoprolol, polyethylene glycol, prednisolone eye drops, sennoside, and Synthroid. The error was not identified by facility staff until shift change, when the night shift nurse was unable to locate Resident #71's medications in the medication cart. The Administrator and DON reported that nursing staff realized the wrong medications and discharge instructions had been given to Resident #70 approximately two to three hours after the resident left the facility. Resident #70's representative later reported the incident to the police and confirmed that the facility had sent home another resident's medications and discharge instructions, and that none of those medications had been taken. Both the Administrator and Resident #70's representative confirmed that private health information for Resident #71 had been disclosed to Resident #70 and her representative, contrary to the facility's HIPAA policy, which states that the facility will protect the privacy and confidentiality of residents' individually identifiable health information.
Failure to Protect Resident PHI During Medication Administration
Penalty
Summary
Surveyors identified a deficiency related to failure to maintain privacy of residents' personal and medical records during medication administration. On multiple occasions on the same day, two RNs prepared medications at a medication cart with an electronic medical record (EMR) screen displaying residents' protected health information and then entered resident rooms without locking the computer screen. For one resident with diabetes, muscle weakness, cognitive communication deficit, need for assistance with personal care, hypertension, constipation, and congestive heart failure, an RN left the EMR open showing the resident's name, room number, diagnoses, and medications visible to anyone passing by. The RN confirmed in interview that she had not locked the computer screen to protect the resident's personal health information. Similar observations were made for five additional residents with various diagnoses including eating disorder, cerebral palsy, acute kidney failure, gastrointestinal hemorrhage, anxiety disorder, constipation, exposure to viral communicable diseases, malignant neoplasms of the pancreatic duct and kidney, depression, dementia, urinary tract infection, urine retention, neuromuscular dysfunction of the bladder, slow transit constipation, altered mental status, and congestive heart failure. In each case, the RN prepared medications at the cart, left the EMR screen active and visible with the resident's name, room number, diagnoses, and medications, and then entered the resident's room to administer medications without securing the screen. Both RNs involved acknowledged during interviews that they had not locked the computer screens to protect the residents' personal health information.
Unattended Laptop Exposed Resident PHI at Nurses’ Station
Penalty
Summary
The deficiency involved a failure to keep a resident’s protected health information (PHI) private and confidential when an unattended medication cart laptop was left open and visible in a common area. The resident involved had multiple medical diagnoses including respiratory failure, heart disease, atrial fibrillation, pulmonary hypertension, peripheral venous insufficiency, a history of falling, and transient ischemic attacks, and was cognitively intact, used a wheelchair, and required maximal to dependent assistance with ADLs per a recent MDS assessment. During observation at the second-floor nurses’ station, surveyors noted the laptop on the medication cart was left open to the landing page for this resident, displaying PHI such as the resident’s photo, name, gender, room number, date of birth, code status, allergies, and most recent vital signs, and the cart and laptop were unattended, making the information viewable to anyone passing by. An LPN confirmed that the laptop was unattended and that PHI for the resident was visible, and review of the facility’s PHI policy showed that facility personnel were responsible for preventing unauthorized disclosure of PHI; this issue was identified as an incidental finding during a complaint investigation.
Failure to Protect Resident Health Information Privacy in Public Areas
Penalty
Summary
The deficiency involves failures to maintain the privacy and confidentiality of residents’ personal health information during clinical interactions in public areas. A nurse practitioner and an RN discussed medications with Resident #7 in a hallway near a resident room after the resident approached the NP with questions about medications prescribed the prior day; there was no evidence the NP directed the resident to a private location for this discussion. The same NP and RN then went to the activities room, where six residents were seated at a table playing a dice game, and the NP discussed Resident #42’s ankle pain and the plan to prescribe new medication at the table without asking if the resident was comfortable being assessed there or making any accommodations to move her away from the other residents. Resident #42’s record contained a progress note documenting that she was seen by the NP and that new orders were received related to complaints of leg pain. A separate incident occurred in the dining area during lunch, where a speech therapist spoke with Resident #79 about a recent doctor’s appointment in the presence of two visitors, 11 residents, and two LPNs. When the resident, who had cognitive issues, could not provide the information, the therapist loudly called across the room to an LPN to ask about the appointment, and the LPN responded by describing the physician visit loudly enough to be heard from the other side of the room. The LPN later confirmed that private medical information had been requested and shared in the full dining area and acknowledged that this information should not have been disclosed in that public setting. These actions were inconsistent with the facility’s Dignity, Respect, and Privacy Policy, which requires that unnecessary individuals be asked to leave while care is provided and that residents’ privacy and dignity be maintained.
Trusted data from CMS and state health departments
Every citation, penalty and Plan of Correction is sourced from public CMS records (latest release May 27, 2026) and official state health department websites — never guesswork.
Trusted by long-term care providers and associations.
