Unauthorized Disclosure of Resident PHI to Outside Contractor
Summary
The facility failed to protect a resident’s right to privacy and confidentiality of personal and medical records when it disclosed protected health information (PHI) to an outside contractor without proper authorization. The resident, admitted with diagnoses including cognitive communication deficit, history of transient ischemic attack and cerebral infarction, and end stage renal disease, had a BIMS score of 11 on a quarterly MDS, indicating moderate cognitive impairment. Record review showed the resident had a healthcare POA appointed on 08/19/25 and a financial POA appointed on 09/21/25, both naming the same individual, with the financial POA effective immediately. Despite this, the facility could not provide documentation that the POA had consented to share the resident’s information with Contract Company #500. The Float Business Office Manager confirmed that a face sheet for this resident was provided to Contract Company #500 on 03/12/26 without the POA’s consent to release HIPAA-related information to an outside provider. The POA stated she did not authorize the sharing of the face sheet and reported that the contractor contacted the resident’s bank and insurance company without her consent. The resident reported significant memory issues, inconsistent recall, and missing details, and stated she had communicated these limitations to the contractor multiple times. The resident was unaware that the contractor had her face sheet prior to their meeting and reported feeling unhappy and uneasy upon learning that her personal information had been shared without her knowledge. The contractor representative confirmed that his company received the resident’s face sheet from the facility. Review of the facility’s HIPAA policy showed that the facility may not disclose an individual’s PHI without written authorization.
Penalty
Resources
Below are regulatory guidelines relevant to this citation:
Surveyors found that during a morning med pass on one hall, RNs repeatedly left a medication cart laptop open with the electronic charting system visible and accessible while walking away to administer meds in resident rooms. A staff member confirmed the laptop remained open and unsecured even as a resident ambulated nearby. In interviews, an RN acknowledged not following the expected practice of minimizing the charting system and closing the laptop screen, and facility leadership confirmed there was no formal written policy on securing laptops when staff left the med cart, despite an expectation that screens be closed to prevent visibility.
A cognitively intact, fully dependent and always incontinent resident received incontinence care from a CNA in a shared room without the privacy curtain being drawn, despite the roommate being present. During the care, the resident’s genital area and buttocks were exposed while the CNA removed the adult brief and cleaned the resident. The resident later reported that staff sometimes forget to pull the curtain and that this exposure sometimes bothers him, and the CNA acknowledged not using the privacy curtain, contrary to facility policy on resident privacy during personal care.
A cognitively intact resident with Huntington’s disease and other conditions was participating in chair exercises when a CNA used a personal cellphone to record the resident lifting her leg above her head, without any signed photo release or consent from the resident’s POA. Two other CNAs watched the event and did not report it. Other staff later observed the CNAs laughing and viewing the image on the phone. Review of incident reports, staff statements, and the facility’s social media policy confirmed that the recording was taken in the work area using a personal device and that facility policy prohibits taking or sharing resident photos or videos without prior written permission.
A resident who was cognitively intact and required supervision with ADLs was discharged, and an LPN mistakenly sent that resident’s representative home with another resident’s medications and written discharge instructions, which included detailed information on multiple prescribed drugs for serious conditions such as cerebral infarction, seizures, and sepsis. The error was discovered at shift change when the night nurse could not locate the second resident’s medications in the cart. The administrator and DON confirmed that the wrong medications and paperwork had been provided, and the discharging resident’s representative later reported to police that they had received another resident’s private health information, although none of the incorrect medications were taken.
Surveyors found that during medication administration, two RNs repeatedly left an electronic medical record screen open and visible on the med cart while entering resident rooms, exposing protected health information (PHI). For multiple residents with complex conditions such as diabetes, CHF, dementia, cerebral palsy, acute kidney failure, depression, and urinary issues, the EMR displayed names, room numbers, diagnoses, and medications and was not locked or secured. Both RNs confirmed in interviews that they did not lock the computer screens before leaving the cart, resulting in PHI being viewable to anyone passing by.
An unattended medication cart laptop at the nurses’ station was left open to a cognitively intact resident’s electronic record, displaying PHI including the resident’s photo, name, gender, room number, date of birth, code status, allergies, and recent vital signs. The cart and laptop were unattended in a common area, allowing anyone passing by to view the information. An LPN confirmed the laptop was left open with visible PHI, despite a facility policy assigning staff responsibility to prevent unauthorized disclosure of PHI.
Unsecured Electronic Charting System During Med Pass
Penalty
Summary
The deficiency involves the facility’s failure to maintain privacy and confidentiality of residents’ electronic medical records during medication administration on the 300 hall, affecting 12 identified residents. On 04/13/2026 at 9:47 A.M., an RN walked away from the medication cart while the laptop on the cart remained open with the facility’s electronic charting system visible and accessible to anyone in the immediate area. Shortly thereafter, another RN began using the same cart for medication administration and, at 9:52 A.M., entered a resident’s room to administer medications while leaving the laptop screen open in the hallway with the charting system visible. This observation was corroborated by a housekeeper who was present in the hallway at the time. At 9:55 A.M., the same RN returned to the cart, prepared medications for another resident, and before leaving again only minimized the charting system window, leaving the laptop open and unsecured while a resident was observed ambulating near the unattended cart. When the RN returned at 9:58 A.M., the laptop remained open and accessible. In an interview, the RN confirmed that the laptop had remained open and acknowledged that the expected practice was to minimize the charting system and fold the laptop screen down when stepping away, which was not followed. In a subsequent interview, the Administrator and DON confirmed that, although the expectation was for staff to minimize the charting system and close the laptop screen to prevent visibility, the facility did not have a formal written policy addressing laptop security when staff walked away from the medication cart.
Failure to Ensure Privacy During Incontinence Care
Penalty
Summary
The deficiency involves a failure to maintain privacy during incontinence care for Resident #3. The resident was admitted with multiple diagnoses including lung disease, heart failure, diabetes, anxiety, gastric reflux, hypertension, arthritis, and a gastric bleed. A quarterly MDS assessment dated 01/14/26 documented that the resident was cognitively intact, dependent on staff for personal hygiene, toileting, bathing, dressing, transfer, and mobility, and was always incontinent of bowel and bladder. Facility policy on Resident Rights stated that residents have the right to privacy and confidentiality, including personal privacy during personal care. On 03/25/26 at 8:58 A.M., a surveyor observed CNA #137 gather supplies and enter the double-occupancy room of Resident #3, closing the door while the resident’s roommate remained in the room in his wheelchair. Although a privacy curtain divided the room, the CNA did not draw the curtain at any time during the incontinence care. The CNA removed the resident’s adult brief, exposing his genital area for cleaning, and then had him roll to his left side toward the wall, which exposed his buttocks to his roommate while care continued. During an interview at 9:04 A.M. the same day, the resident stated that CNAs sometimes forget to pull the curtain during incontinence care and that it sometimes bothers him to be exposed to his roommate when present. CNA #137, present during the interview, acknowledged she had not pulled the privacy curtain.
Unauthorized Cellphone Recording of Resident Without Consent
Penalty
Summary
The facility failed to ensure the confidentiality and privacy of a resident’s personal and medical information when a CNA used a personal cellphone to record the resident without consent. The resident, admitted with diagnoses including Huntington’s disease, anxiety, and protein calorie malnutrition, was cognitively intact with a BIMS score of 13 and required one-person assistance with ADLs. During a chair exercise activity in the dining room, the CNA observed the resident lifting her leg above her head and took out her cellphone to take a picture/video of the resident. Two other CNAs stood nearby, watched the resident performing the exercises, and witnessed the recording being made but did not report it. The resident’s POA later confirmed that she had not given authorization for any photos or videos to be taken of the resident. Multiple staff interviews and document reviews corroborated that the recording occurred and that it involved the resident’s image being captured without prior authorization. The Activities Director and Business Office Manager both observed the three CNAs outside the dining room laughing and looking at a cellphone image of the resident with her leg pointed straight up. Review of the incident reports and staff statements confirmed that the recording was made on a personal cellphone in the work area. The Admissions Coordinator verified that there was no signed photo release authorization for the resident, and review of the facility’s Social Media Policy showed that employees are prohibited from using personal electronic devices in the work area without written approval and from taking or sharing resident photos or videos without prior written permission from the resident or authorized agent. Observation of the video by the Administrator and DON further confirmed that the resident had been recorded without authorization, constituting a breach of confidentiality and privacy.
Privacy Breach When Wrong Discharge Medications and Instructions Given to Another Resident
Penalty
Summary
The facility failed to ensure the privacy and confidentiality of a resident's health information when discharge medications and paperwork for one resident were mistakenly given to another resident's representative. Resident #70, who was cognitively intact and required supervision with ADLs, was discharged on 09/30/25. At discharge, LPN #142 accidentally provided Resident #70's representative with Resident #71's medications and written discharge instructions instead of Resident #70's. Resident #71 had been admitted with diagnoses including cerebral infarction, seizures, and sepsis and had active physician orders for multiple medications, including Norvasc, aspirin, Biotin, Cozaar, folic acid, Keppra, Lipitor, methotrexate, metoprolol, polyethylene glycol, prednisolone eye drops, sennoside, and Synthroid. The error was not identified by facility staff until shift change, when the night shift nurse was unable to locate Resident #71's medications in the medication cart. The Administrator and DON reported that nursing staff realized the wrong medications and discharge instructions had been given to Resident #70 approximately two to three hours after the resident left the facility. Resident #70's representative later reported the incident to the police and confirmed that the facility had sent home another resident's medications and discharge instructions, and that none of those medications had been taken. Both the Administrator and Resident #70's representative confirmed that private health information for Resident #71 had been disclosed to Resident #70 and her representative, contrary to the facility's HIPAA policy, which states that the facility will protect the privacy and confidentiality of residents' individually identifiable health information.
Failure to Protect Resident PHI During Medication Administration
Penalty
Summary
Surveyors identified a deficiency related to failure to maintain privacy of residents' personal and medical records during medication administration. On multiple occasions on the same day, two RNs prepared medications at a medication cart with an electronic medical record (EMR) screen displaying residents' protected health information and then entered resident rooms without locking the computer screen. For one resident with diabetes, muscle weakness, cognitive communication deficit, need for assistance with personal care, hypertension, constipation, and congestive heart failure, an RN left the EMR open showing the resident's name, room number, diagnoses, and medications visible to anyone passing by. The RN confirmed in interview that she had not locked the computer screen to protect the resident's personal health information. Similar observations were made for five additional residents with various diagnoses including eating disorder, cerebral palsy, acute kidney failure, gastrointestinal hemorrhage, anxiety disorder, constipation, exposure to viral communicable diseases, malignant neoplasms of the pancreatic duct and kidney, depression, dementia, urinary tract infection, urine retention, neuromuscular dysfunction of the bladder, slow transit constipation, altered mental status, and congestive heart failure. In each case, the RN prepared medications at the cart, left the EMR screen active and visible with the resident's name, room number, diagnoses, and medications, and then entered the resident's room to administer medications without securing the screen. Both RNs involved acknowledged during interviews that they had not locked the computer screens to protect the residents' personal health information.
Unattended Laptop Exposed Resident PHI at Nurses’ Station
Penalty
Summary
The deficiency involved a failure to keep a resident’s protected health information (PHI) private and confidential when an unattended medication cart laptop was left open and visible in a common area. The resident involved had multiple medical diagnoses including respiratory failure, heart disease, atrial fibrillation, pulmonary hypertension, peripheral venous insufficiency, a history of falling, and transient ischemic attacks, and was cognitively intact, used a wheelchair, and required maximal to dependent assistance with ADLs per a recent MDS assessment. During observation at the second-floor nurses’ station, surveyors noted the laptop on the medication cart was left open to the landing page for this resident, displaying PHI such as the resident’s photo, name, gender, room number, date of birth, code status, allergies, and most recent vital signs, and the cart and laptop were unattended, making the information viewable to anyone passing by. An LPN confirmed that the laptop was unattended and that PHI for the resident was visible, and review of the facility’s PHI policy showed that facility personnel were responsible for preventing unauthorized disclosure of PHI; this issue was identified as an incidental finding during a complaint investigation.
Trusted data from CMS and state health departments
Every citation, penalty and Plan of Correction is sourced from public CMS records (latest release June 24, 2026) and official state health department websites — never guesswork.
Trusted by long-term care providers and associations.
Self-audit
Pick a level of detail and, optionally, what to focus on — then generate a survey-ready checklist distilled from the most recent citations.
Beta · AI-generated — for reference only, not professional advice. Verify against current CMS guidance before relying on it. Assisto accepts no responsibility for how this checklist is used.