MAMMOTH HOSPITAL

Report ID: SGJO11.01, California Department of Public Health

Reported Entity: MAMMOTH HOSPITAL

Issue:

Based on interview and record review, the facility failed to ensure that a system was in place in the emergency department (ED) to protect unauthorized access to confidential, protected health information (PHI-any information about health status, provision of health care, or payment for health care that can be linked to an individual) for patients through the electronic records system. This had the potential to result in unauthorized access of PHI and a breach of PHI for any ER or clinic patient.Findings:On January 30, 2014 at 9:00 AM, a phone interview was conducted with the facility privacy officer (FPO) to investigate an entity reported incident of possible unauthorized access of a former employee who was a patient (Patient A's) electronic record by more than one emergency department nursing staff employees.On February 4, 2014 at 1:30 PM, a second interview was conducted with the FPO after she had verified with the ED Director that ED nurses could access clinic records, and would do so upon request of the ED physician's to obtain specific information, such as what medications the patient had been prescribed.During the course of the investigation on February 12, 2013 at 3:00 PM, and on February 13, 2013 at 3:00 PM, when the FPO was asked what systems were in place to protect patients from unauthorized access to their PHI, she did not provide an answer.A review was conducted on March 3, 2014, of the facility's investigation of the alleged unauthorized access by facility staff into Patient A's PHI. FPO 2 documented,"In the ER (emergency room) generic logins are used by everyone to access all the computers in the ER department...Once logged onto a workstation every employee must use their unique login and password to access any patient information. If an employee walks away from a workstation, even if they "lock" the workstation, any other knowledgeable ER employee may gain access by unlocking the workstation with the generic login and password. If the original employee has not logged off the patient database, that access is available to the person currently logged on to the workstation under the original person's login....The ER has never been set up...to automatically log off users after a period of inactivity. If a user does not log off, the access continues indefinitely until their access is logged off or the computer power is recycled."FPO 2 further documented, " In the time since the incident [related to the investigation] all the computer workstations had been replaced in the ER...I requested that the ER which currently only stores 90 days of user activities in a live data base, have the timeframe extended to a full six years."A review of the online course provided for employees titled,"HIPAA, the Health Insurance Portability and Accountability Act," printed 2/21/14, indicated under section 4.3 "Security Standards:General: Ensure the confidentiality, integrity , and availability of electronic PHI. Protect against threats to security of PHI. Protect against unauthorized use or disclosure of PHI..." Section 4.5 "Administrative Safeguards: Security Management Process listed: Prevent security violations. Detect violations. Contain violations, and correct violations, which included looking at how electronic PHI might be at risk and taking steps to address the risks found in the analysis."During a review of the facility's policy and procedure titled, "Creation, Issuance, and Maintenance of Login Names and Passwords, dated September 2012, under "Purpose," indicated, "Access to databases and other sources of ePHI (electronic protected health information) under control of [facility's name] must also be protected." Under the section titled, "Policy", was written, "A minimum number of generic access logins are allowed to serve specific locations where such login promote the most efficient use of workforce time...Generic logins shall not be used to access databases containing ePHI."During a review of the documented statement from Employee 1 sent via email to the FPO, dated February 7, 2014, Employee 1 had written, "My understanding is that I was not even clocked in on the day it showed I looked at Patient A's chart." A second e-mail dated February 10, 2014 indicated, "We all use the same computers and when it gets busy its easy to forget to sign out or look at who is signed in. Yes, I do forget to log off a computer at the end of my shift: especially if we are busy. We all share computers so I can be logged into more than one. We usually try to dominate one computer on a shift but it rarely stays that way."This confirmed FPO 2's findings during his investigation which showed, "...A total of three instances of employee logins other than Patient A (a former employee), that had been used to access portions of Patient A's medical record...occurred on dates that the owners did not work. On all three dates, however, Patient A was working in the ER."The failure in the system to secure access to ED patients' electronic PHI due to the lack of technical safeguards in the generic computer program, resulted in Patient A's clinic note being accessed without authorization. The facility was unable to determine who accessed the information, including Patient A who was on duty all days; and to determine if the access was within the course of the employees job duties or not,which placed al ED patients at risk of unauthorized access to their PHI.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Related Reports:

2 other violations reported on the same date. Note that other citations may be about the same event: 16PJ11.01, 4L0D11.01