Penalty

No penalty information released

The penalty, as released by CMS, applies to the entire inspection this citation is part of, covering all citations and f-tags issued, not just this specific f-tag. For the complete original report, please refer to the 'Details' section.

Summary

Facility staff failed to ensure the privacy and confidentiality of residents' personal and medical records by communicating protected health information (PHI) through a group messaging platform (GMP) installed on staff members' personal smartphones. Multiple interviews and observations confirmed that both licensed nurses and certified nursing assistants routinely used this application to share resident names, room numbers, medical updates, and care needs. The GMP was not password-protected once the phone was unlocked, and staff were not required to report if their phones were lost or stolen, increasing the risk of unauthorized access to PHI. The Director of Nursing (DON), Administrator (ADM), and other staff acknowledged that resident identifiers and medical information were shared through the GMP, and that the application was not HIPAA-compliant. The DON admitted that there was no way to control or monitor who could access the information if a staff member's phone was compromised. Staff interviews revealed that the expectation was to use the GMP for communication about resident care, and some staff expressed concerns about the privacy implications, with at least one nurse refusing to install the app due to HIPAA concerns. Facility policies reviewed indicated that PHI should only be disclosed as permitted by law and that employees are responsible for protecting resident information from unauthorized release. However, the use of the GMP, which lacks necessary security features and is not HIPAA-compliant, directly contradicted these policies. The facility's own leadership acknowledged the risks and lack of control over PHI once it was shared via staff personal devices.