Penalty

No penalty information released

The penalty, as released by CMS, applies to the entire inspection this citation is part of, covering all citations and f-tags issued, not just this specific f-tag. For the complete original report, please refer to the 'Details' section.

Summary

The facility failed to protect residents’ confidential personal and health information by allowing an unauthorized individual into the medical records office where protected health information (PHI) was openly accessible. Facility policies titled “Resident Rights” and “Protected Health Information (PHI), Management and Protection of,” both dated 2001, stated that unauthorized release, access, or disclosure of resident information was prohibited and that PHI shall not be used or disclosed except as permitted by federal and state laws. The HIPAA compliance training described by a medical records assistant (MRA 1) included instruction not to release or share resident information with anyone other than the resident or the resident’s durable power of attorney. The DON and the Medical Records Director both stated that only designated staff (medical records staff, licensed nurses, therapists, physicians, admissions, administrator, activities staff, DSD, dietary supervisor, and registered dietician) were authorized to access medical records, and that no volunteers or other unauthorized persons were permitted in the medical records department. Despite these policies and training, MRA 1 reported that on a specific date she allowed a family member (Family Member 1), who was her means of transportation and not an employee of the facility, to sit inside the medical records office with her for approximately one to two hours while she put away discharged residents’ 2025 medical records. MRA 1 acknowledged that she knew she was not supposed to bring anyone into the office and stated she asked Family Member 1 to stay inside because it was hot outside. Surveyor observation of the medical records office showed two large open bookshelves with three rows of medical record folders containing visible resident names, and some folders also showed admission dates, discharge dates, and medical record numbers. MRA 1 confirmed that from the chair where Family Member 1 sat, the resident names on the medical record folders were visible. The DON verified that Family Member 1 was not an employee and reiterated that unauthorized persons were not allowed in the medical records office due to the easily accessible medical records that needed protection.