Unauthorized Disclosure of Resident PHI via Email
Penalty
Summary
A deficiency occurred when the Social Services Director (SSD) sent an email containing a resident's Face Sheet (Admission Record) and information regarding podiatry care needs to an unauthorized recipient, specifically another resident's family member. The email included protected health information (PHI) such as the resident's Medicaid, Medicare, and insurance policy numbers, home address, care providers, emergency contact, and financial representative. The SSD stated that the email was sent by mistake, confusing the intended recipient, a medical provider with the same first name as the family member who received the email. The resident whose information was disclosed had a history of anemia, chronic pain, and gout, and was noted to have severely impaired cognition, requiring substantial to maximal assistance with activities of daily living. The resident was able to make needs known but could not make medical decisions. The SSD recognized the error and attempted to recall the email but did not report the incident to facility leadership or follow the facility's policy for handling breaches of PHI. Interviews with the Administrator and Director of Nursing revealed that the facility's protocol required immediate reporting of any PHI breach to leadership, investigation of the incident, and notification of the resident or responsible party. The facility's policy also specified that access to resident records should be limited to authorized staff and business associates, which was not followed in this instance.
Plan Of Correction
How corrective actions will be accomplished for those residents found to have been affected by the deficient practice: Resident 8 was informed of the breach on March 26, 2025, and was assured that the facility would take all appropriate steps to mitigate any potential negative consequences resulting from the incident. How the facility will identify other residents having the potential to be affected by the same deficient practice and what corrective action will be taken: All residents had the potential to be affected by this deficient practice. Beginning on March 27, 2025, the Social Services Director conducted outreach to residents within the facility to identify any additional potential breaches and to ensure there were no further incidents or concerns related to the confidentiality of Protected Health Information (PHI). No additional findings were identified as a result of this review. What measures will be put into place or what systemic changes will the facility make to ensure that the deficient practice does not recur: From March 27 to March 28, 2025, licensed nurses and department supervisors participated in an in-service training conducted by the Administrator or designee. The training focused on the protection of residents' rights to privacy and the confidentiality of Protected Health Information (PHI), in accordance with HIPAA regulations. On March 27, 2025, the Administrator conducted a one-on-one training with the Social Services Director, emphasizing the importance of secure communication practices and the protection of residents' rights to privacy and the confidentiality of Protected Health Information (PHI), in compliance with HIPAA regulations. The Social Services Director will adhere to safe communication practices and will promptly report any potential breaches of confidentiality to the Administrator for further review and appropriate action. How the facility plans to monitor its performance to make sure that solutions are sustained: The ADMIN/designee will provide any negative findings to QAPI committee monthly x 3 months for further monitoring and action planning as indicated or until the QAA committee determines compliance. Date of Compliance: April 1st, 2025