Penalty

No penalty information released

The penalty, as released by CMS, applies to the entire inspection this citation is part of, covering all citations and f-tags issued, not just this specific f-tag. For the complete original report, please refer to the 'Details' section.

Summary

The deficiency involves the facility’s failure to develop and implement a policy and procedure governing the use of USB drives for transmitting Protected Health Information (PHI). The governing body was responsible for establishing and implementing policies for managing and operating the facility and for appointing an administrator to manage the facility. The Medical Records Director (MRD) received an email request from a resident’s authorized representative for copies of the resident’s complete medical record. The MRD initially attempted to send the requested records via email, but the files were too large to transmit. The MRD then saved all requested medical record documents onto a USB flash drive and mailed it via certified mail to the address provided by the authorized representative. The USB drive contained the resident’s medical records, medical record number, payor/insurance provider and eligibility information, residency dates at the facility, and share of cost. The facility later received the envelope back marked “Return to Sender; Attempted – Not Known Unable to Forward,” and the envelope was torn open with the USB drive missing. The MRD stated the USB drive was not password protected and confirmed there was no policy or procedure addressing the use of USB drives to send PHI. The Administrator reported that, after learning of the lost unencrypted USB drive, he reviewed the facility’s PHI-related policies and found they were outdated and did not address the use of USB drives or current technology, and acknowledged that if USB drives were being used to send PHI, there should have been a policy requiring password protection.