Unauthorized Access and Disclosure of Resident Medical Records
Penalty
Summary
The facility failed to safeguard resident-identifiable information and maintain medical records in accordance with accepted professional standards for one resident. An independent liaison, who was not an employee of the facility, hospice company, or corporation, obtained and retained the resident's medical records without the resident's consent. The liaison accessed these records through the hospice company and used the information to arrange for the resident's discharge to home hospice services, despite not having a medical background or prior contact with the resident or their family. The resident in question had a diagnosis of complete paraplegia and essential hypertension, with medical records indicating intact cognition and the capacity to make medical decisions. The resident required significant assistance with activities of daily living. The liaison did not confirm the resident's wishes or obtain consent before accessing and using the resident's protected health information (PHI) for discharge planning. The family was informed by the liaison, who identified herself as a case manager for the corporate office, that the resident needed to be discharged the next day, without prior notice or direct communication from facility staff. Facility leadership, including the Vice President of Operations, confirmed that the liaison was not affiliated with the facility or corporation and had no authorization to access or use the resident's medical records. The facility's failure to control access to PHI resulted in a violation of HIPAA privacy standards, as the liaison was able to obtain, review, and act upon the resident's medical information without proper authorization or consent.