Initial Comments:
Based on the findings of an unannounced off-site home health agency complaint investigation survey conducted March 31, 2021, Aveanna Healthcare, was found to not be in compliance with the requirements of 42 CFR, Part 484, Subparts B and C, Conditions of Participation: Home Health Agencies.
Plan of Correction:
484.50(c)(6) ELEMENT
Have a confidential clinical record
Name - Component - 00
Have a confidential clinical record. Access to or release of patient information and clinical records is permitted in accordance with 45 CFR parts 160 and 164.
Observations:
Based on review of electronic health record procedures for screening for COVID, emails from complainant, Agency Administrator and Agency Area Vice President of Clinical Operations and an interview with the Office Administrator, the agency failed to ensure that electronic protected health information (PHI) was secured and kept confidential according to HIPAA (Health Insurance Portability and Accountability Act) standards.
Findings:
Review of two (2) website links for employee COVID-19 Assessment Reading and COVID Individual/Patient Screening Tool Location on 04/14/21 at 12:35 PM revealed:
The following statement is printed at the bottom of the employee/patient COVID-19 assessment reading: "This content is created by the owner of the form. The data you submit will be sent to the form owner. Microsoft is not responsible for the privacy or security practices of its customers, including those of this form owner. Never give out your password. The owner of this form has not provided a privacy statement as to how they will use your response data. Do not provide personal or sensitive information."
Surveyor used web link for employee COVID-19 assessment reading and was able to complete assessment and submit the assessment without being asked to submit it securely
Review of Aveanna Healthcare Mobile App Security Acknowledgement Form on 04/14/21 at 1:55 PM revealed:
The security form has several statements that need to be acknowledged by the employee when using the Mobile App including: the employee understanding that they are responsible for complying with the Health Insurance Portability and Accountability Act (HIPAA) and Aveanna policies, the employee will ensure that their personal cell phone is secure and password protected, the employee should not allow other people to use their personal cell phone while the mobile app is installed, the employee will not save any protected health information that was accessed from the mobile app on their personal cell phone. The Mobile App security acknowledgement form also informs the employee that if they fail to secure their personal cell phone while the Mobile App is installed, it could lead to a privacy violation which could include notification, breach reporting and possible sanctions against the employee and Aveanna.
Review of emails sent between complainant and Agency Administrator on 04/14/21 at 4:30 PM revealed:
Complainant didn't feel comfortable using her personal cell phone to complete the COVID screening tools and asked why the agency was not supplying the technology to the staff to use or to allow the staff to use their HOPE device (electronic tablet used for documentation) to complete the screenings.
Agency Administrator responded "I created the links, they only come to my email. EVERYTHING I do is encrypted, so no worries. Feel free to put the links on the hope device. Everyone else in the company does it on their phones, I fail to understand your hesitation to cooperate with company protocol."
An interview with the Agency Administrator and Agency Area Vice President of Clinical Operations conducted on 4/8/21 at approximately 12:30 PM confirmed the above findings.
Plan of Correction:
Executive director will add the statement to the COVID Form . Ongoing the COVID form will have this statement
Completion Date 5/10/2021
484.110(d) STANDARD
Protection of records
Name - Component - 00
Standard: Protection of records.
The clinical record, its contents, and the information contained therein must be safeguarded against loss or unauthorized use. The HHA must be in compliance with the rules regarding protected health information set out at 45 CFR parts 160 and 164.
Observations:
Based on review of electronic health record procedures for screening for COVID, emails from complainant, Agency Administrator and Agency Area Vice President of Clinical Operations and an interview with the Office Administrator, the agency failed to ensure that electronic protected health information (PHI) was secured and kept confidential according to HIPAA (Health Insurance Portability and Accountability Act) standards.
Findings:
Review of two (2) website links for employee COVID-19 Assessment Reading and COVID Individual/Patient Screening Tool Location on 04/14/21 at 12:35 PM revealed:
The following statement is printed at the bottom of the employee/patient COVID-19 assessment reading: "This content is created by the owner of the form. The data you submit will be sent to the form owner. Microsoft is not responsible for the privacy or security practices of its customers, including those of this form owner. Never give out your password. The owner of this form has not provided a privacy statement as to how they will use your response data. Do not provide personal or sensitive information."
Surveyor used web link for employee COVID-19 assessment reading and was able to complete assessment and submit the assessment without being asked to submit it securely
Review of Aveanna Healthcare Mobile App Security Acknowledgement Form on 04/14/21 at 1:55 PM revealed:
The security form has several statements that need to be acknowledged by the employee when using the Mobile App including: the employee understanding that they are responsible for complying with the Health Insurance Portability and Accountability Act (HIPAA) and Aveanna policies, the employee will ensure that their personal cell phone is secure and password protected, the employee should not allow other people to use their personal cell phone while the mobile app is installed, the employee will not save any protected health information that was accessed from the mobile app on their personal cell phone. The Mobile App security acknowledgement form also informs the employee that if they fail to secure their personal cell phone while the Mobile App is installed, it could lead to a privacy violation which could include notification, breach reporting and possible sanctions against the employee and Aveanna.
Review of emails sent between complainant and Agency Administrator on 04/14/21 at 4:30 PM revealed:
Complainant didn't feel comfortable using her personal cell phone to complete the COVID screening tools and asked why the agency was not supplying the technology to the staff to use or to allow the staff to use their HOPE device (electronic tablet used for documentation) to complete the screenings.
Agency Administrator responded "I created the links, they only come to my email. EVERYTHING I do is encrypted, so no worries. Feel free to put the links on the hope device. Everyone else in the company does it on their phones, I fail to understand your hesitation to cooperate with company protocol."
An interview with the Agency Administrator and Agency Area Vice President of Clinical Operations conducted on 4/8/21 at approximately 12:30 PM confirmed the above findings.
Plan of Correction:
Executive director will add the statement to the COVID form. Ongoing the COVID form will have this statement.
Completion Date: 5/10/2021
Initial Comments:
Based on the findings of an unannounced off-site home health agency complaint investigation survey conducted March 31, 2021, Aveanna Healthcare, was found to not be in compliance with the requirements of 28 Pa. Code, Part IV, Health facilities, Subpart G. Chapter 601.
Plan of Correction:
601.3 REQUIREMENT
COMPLIANCE W/ FED, ST, & LOCAL LAWS
Name - Component - 00
601.3 COMPLIANCE WITH FEDERAL,
STATE AND LOCAL LAWS.
The home health agency and its staff
are in compliance with all applicable
Federal, State and Local Laws and
regulations.
Observations:
Based on review of electronic health record procedures for screening for COVID, emails from complainant, Agency Administrator and Agency Area Vice President of Clinical Operations and an interview with the Office Administrator, the agency failed to ensure that electronic protected health information (PHI) was secured and kept confidential according to HIPAA (Health Insurance Portability and Accountability Act) standards.
Findings:
Review of two (2) website links for employee COVID-19 Assessment Reading and COVID Individual/Patient Screening Tool Location on 04/14/21 at 12:35 PM revealed:
The following statement is printed at the bottom of the employee/patient COVID-19 assessment reading: "This content is created by the owner of the form. The data you submit will be sent to the form owner. Microsoft is not responsible for the privacy or security practices of its customers, including those of this form owner. Never give out your password. The owner of this form has not provided a privacy statement as to how they will use your response data. Do not provide personal or sensitive information."
Surveyor used web link for employee COVID-19 assessment reading and was able to complete assessment and submit the assessment without being asked to submit it securely.
Review of Aveanna Healthcare Mobile App Security Acknowledgement Form on 04/14/21 at 1:55 PM revealed:
The security form has several statements that need to be acknowledged by the employee when using the Mobile App including: the employee understanding that they are responsible for complying with the Health Insurance Portability and Accountability Act (HIPAA) and Aveanna policies, the employee will ensure that their personal phone is secure and password protected, the employee should not allow other people to use their personal phone while the mobile app is installed, the employee will not save any protected health information that was accessed from the mobile app on their personal cell phone. The Mobile App security acknowledgement form also informs the employee that if they fail to secure their personal cell phone while the Mobile App is installed, it could lead to a privacy violation which could include notification, breach reporting and possible sanctions against the employee and Aveanna.
Review of emails sent between complainant and Agency Administrator on 04/14/21 at 4:30 PM revealed:
Complainant didn't feel comfortable using her personal cell phone to complete the COVID screening tools and asked why the agency was not supplying the technology to the staff to use or to allow the staff to use their HOPE device ( agency issued electronic tablet used for documentation) to complete the screenings.
Agency Administrator responded "I created the links, they only come to my email. EVERYTHING I do is encrypted, so no worries. Feel free to put the links on the hope device. Everyone else in the company does it on their phones, I fail to understand your hesitation to cooperate with company protocol."
An interview with the Agency Administrator and Agency Area Vice President of Clinical Operations conducted on 4/8/21 at approximately 12:30 PM confirmed the above findings.
Plan of Correction:Executive director will add the statement to the COVID form. Ongoing the COVID form will have this statement
Completion Date: 5/10/2021
Office will track re-education using read receipts. Clinical supervisors will continue to monitor device usage during supervisory visits and provide re-education as needed going forward this location will add this information to orientation.
Completion Date: 5/15/2021
601.36(c) REQUIREMENT
PROTECTION OF RECORDS
Name - Component - 00
601.36(c) Protection of Records.
Clinical record information is
safeguarded against loss or
unauthorized use. Written procedures
govern use and removal of records and
conditions for release of information.
Patient's written consent is required
for release of information not
authorized by law.
Observations:
Based on review of electronic health record procedures for screening for COVID, emails from complainant, Agency Administrator and Agency Area Vice President of Clinical Operations and an interview with the Office Administrator, the agency failed to ensure that electronic protected health information (PHI) was secured and kept confidential according to HIPAA (Health Insurance Portability and Accountability Act) standards.
Findings:
Review of two (2) website links for employee COVID-19 Assessment Reading and COVID Individual/Patient Screening Tool Location on 04/14/21 at 12:35 PM revealed:
The following statement is printed at the bottom of the employee/patient COVID-19 assessment reading: "This content is created by the owner of the form. The data you submit will be sent to the form owner. Microsoft is not responsible for the privacy or security practices of its customers, including those of this form owner. Never give out your password. The owner of this form has not provided a privacy statement as to how they will use your response data. Do not provide personal or sensitive information."
Surveyor used web link for employee COVID-19 assessment reading and was able to complete assessment and submit the assessment without being asked to submit it securely
Review of Aveanna Healthcare Mobile App Security Acknowledgement Form on 04/14/21 at 1:55 PM revealed:
The security form has several statements that need to be acknowledged by the employee when using the Mobile App including: the employee understanding that they are responsible for complying with the Health Insurance Portability and Accountability Act (HIPAA) and Aveanna policies, the employee will ensure that their personal cell phone is secure and password protected, the employee should not allow other people to use their personal cell phone while the mobile app is installed, the employee will not save any protected health information that was accessed from the mobile app on their personal cell phone. The Mobile App security acknowledgement form also informs the employee that if they fail to secure their personal cell phone while the Mobile App is installed, it could lead to a privacy violation which could include notification, breach reporting and possible sanctions against the employee and Aveanna.
Review of emails sent between complainant and Agency Administrator on 04/14/21 at 4:30 PM revealed:
Complainant didn't feel comfortable using her personal cell phone to complete the COVID screening tools and asked why the agency was not supplying the technology to the staff to use or to allow the staff to use their HOPE device (electronic tablet used for documentation) to complete the screenings.
Agency Administrator responded "I created the links, they only come to my email. EVERYTHING I do is encrypted, so no worries. Feel free to put the links on the hope device. Everyone else in the company does it on their phones, I fail to understand your hesitation to cooperate with company protocol."
An interview with the Agency Administrator and Agency Area Vice President of Clinical Operations conducted on 4/8/21 at approximately 12:30 PM confirmed the above findings.
Plan of Correction:Executive director will add the statement to the COVID form. Ongoing the COVID form will have this statement
Completion Date: 5/10/2021
Office will track re-education using read receipts. Clinical supervisors will continue to monitor device usage during supervisory visits and provide re-education as needed going forward this location will add this information to orientation.
Completion Date: 5/15/2021
|