What Would You Do?

I recently had an experience with a major hospital. This hospital is one of hundreds owned by a large corporation that are located both in the U.S., as well as the U.K.

The experience touched me so much that I felt I needed to share the details of my experience with the company CEO. All I asked of the CEO in question was that he notify me that he indeed did receive my letter; so that I can know I did what I could to help effect change.

After 3 weeks, I received no notification from this CEO or his staff. I decided then to forward the same letter to contacts listed at this organization's web site; they were investor relations contacts. I simply asked if they would confirm that they received my letter, and forwarded it to the CEO. I could then walk away knowing that I did what I could to effect change - without the stigma of contacting authorities, impacting the hospital employees well-being, and possibly even threatening the hospital's very existence. The thought of the possible impact on the local community weighed heavily on me.

Please read my letter to the CEO, which has been edited to protect the individuals in this scenario.

The Letter

Dear Mr. CEO.

I recently spent several days at one of your hospitals, when my mother had been admitted for an infectious wound on her hand and was then later treated for sepsis. I felt the need to share my observations with you regarding your facility, and you will see why it is very important that you become aware of these issues.

I would like to first establish that I am no stranger to the healthcare industry. Presently, I am the CIO and Security Officer of one of the largest optometry / ophthalmology practices in my state, where I chair a committee of professionals that have oversight of HIPAA and ePHI administrative, technical, and physical safeguards. Prior to that, I was a Senior Director (IT and Enterprise Apps) for a women's reproductive health care provider with partner agencies across the entire state. In that role, I had similar responsibilities.  

Testing and Provider Feedback

My ending thoughts regarding our experience at this hospital was that my mother spent additional, unnecessary days of inpatient status at the expense of the taxpayer. Weeks prior, she had torn the outer part of her left hand, and had to have it irrigated, stitched, and bandaged. She was also prescribed some oral antibiotics. She finished the antibiotics and was caring for her hand. Weeks later, an unforeseen incident took place where a dog (a pet of a family member) accidentally ran its paw across my mother's hand, and it later became severely swollen and infected. She went back to the hospital and I arrived to meet her at the hospital on 28 December, 2018. It was at that time onward that I made my observations. 

The medical care team there drew six vials of blood for testing for screening and surety purposes. I am sure that this was a protocol response for this kind of encounter. 

I learned that the hand surgeon providing oversight over my mother's case had recommended that they open up her hand and surgically remove the infectious material. She spent that same evening at the hospital taking antibiotics intravenously. The swelling later went down and her hand surgeon, who I will call Dr. Gilbert, had been satisfied that there was no need for surgery. His consultative input contributed to her discharge orders. 

She was already dressed and ready to leave the hospital when the lab had relayed to the hospitalist overseeing her case that there was "an unidentified microorganism" growing in her blood culture and that she could not leave. She was immediately prescribed additional (and stronger) antibiotic treatments. She had become septic, due either to something that was on the dog's paw, or something that was in the hospital. We may never know the answer to that. 

She had already become reacquainted with being in the bed, and after several tries by different staff members, had a new IV inserted into her arm to facilitate receiving antibiotics. After approximately 36 hours, she was tested again. The next morning, we learned that the first test was negative for infection. This seemingly took hours. We ended up waiting almost a third day in total waiting for this second test to come back. I lost track of how many times that the nursing staff (on our request) called both her doctor and the lab only to find out that they are still waiting. We were also advised that both the doctor and lab were working over the New Year's holiday, and that the lab was sincerely waiting for this second test to complete. 

I finally had enough empty answers from staff, as did my mother. After our largely terrible customer service experience there, we felt that something wasn't right. I advised the nurse that we may need to consider having a third-party physician do a complete chart review of my mother’s entire experience. I feel that there were additional overnight stays padded into my mother's experience. A third-party might likely find a number of questions that require answers. I further added that if there is something that she can do or someone she can call to find out my mother's labs results and get her discharged, that she should call those things into service. The following day she learned that her tests all came back negative, suggesting to all that the antibiotics had addressed the infection that was underway in her bloodstream. 

I would like to note that the generalist/hospitalist, who I will call Dr. Angelica, is a very pleasant physician. The contractor hand specialist, Dr. Gilbert, comes across as cocky. He is curt with patients and overall is a generally overstretched provider. As I spoke with him, I learned that he supports more than half a dozen hospitals in the area, and was making visits to each of them. He took the time to explain to my mother how the doctors there are divided up based on the areas of care that they support and that they do not speak with one another. He further advised that it was up to the hospitalist, Dr. Angelica, to collect, analyze, and act on all of this information to ensure that her care goes smoothly. Dr. Angelica, herself seemed to have a large number of patients to oversee as well. 

Dr. Gilbert also informed me that he does not have access to this hospital's EMR where he can see her chart. He can only do that while onsite. I found this incredulous. This lent itself to some problems. My mother asked various medical staff during her stay several times if she should be taking her potassium pills due to her high blood pressure. I am still unclear if she ever got an answer. We were forced to self-diagnose that if her blood pressure remains normal throughout that she should be okay. It would have been a much better caregiver experience if someone had specifically told us that.  

HIPAA & PHI Concerns

On one occasion during a nurse’s visit, I found that one of the staff members left what appeared to be a floor patient roster. She did not rest it there while she was doing something else pertinent to my mother's care. She actively set it there and left the room for a very long time. This roster was two pages long, and by conservative estimates, I would estimate there were 30 patients on the list. I know that none of this is news to you, but I would like to expound on a few things that are pertinent to your organization's well-being insofar as governance and compliance is concerned. 

This roster had patient first name, last name, room number, nurse assigned, physician under care, date of birth, and room number. That is categorically PHI (Patient Health Information), since this hospital is indeed what HHS-OCR considers a "covered entity." After briefly consulting with my own security and risk assessment notes, I recalled what could be at stake during findings like this. They are broken up into the following categories:

• Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.
• Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
• Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.
• Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.

Minimum Fines Per Category:

• Category 1: Minimum fine of $100 per violation up to $50,000
• Category 2: Minimum fine of $1,000 per violation up to $50,000
• Category 3: Minimum fine of $10,000 per violation up to $50,000
• Category 4: Minimum fine of $50,000 per violation.

As an auditor, I would have easily placed this HIPAA incident into category 4, and an exposure of 30 patients' data had occurred. The reason is simple: each of your caregivers and staff have been fully briefed on HIPAA and safeguards. They simply allowed a condition to persist. 

There is a maximum fine per category, as set forth by governance. This hospital could have easily been assessed a $1,500,000.00 fine for that infraction. Twice, actually, because one fine would come from OCR, and the other from any government office they refer the findings to (be it the FTC, the U.S. Attorney General, what have you). Because I was present to oversee my mother's medical care, I did not turn this visit into some kind of yearly risk and ongoing assessment that I perform regularly. I simply returned this roster to the nurses' station and advised them of what I found. 

Additionally, computer workstations throughout the hospital would benefit a great deal from having ePHI filters installed on the monitors. I can see patient information and chart data with little difficulty while standing at an angle at nurses’ stations, office areas, etc. EPHI filters effectively make it impossible for an onlooker to see information on the screen, unless they are sitting directly in front of it. At an angle, the information on the screen is unreadable. 

There were a number of occasions where staff were not actively using workstations and not locking them (preventing any viewing or access to patient information) as they left. As you will agree, access to information, and in fact informatics itself, constitutes at least 30% of any medical professional’s schedule, and takes on a severe level of importance. Protecting it at all costs is paramount. 

Facilities / Maintenance

The generally unkempt appearance of the parkade was highly noticeable, and certainly not in keeping with what I would call a first-world hospital. Trash was everywhere, and where trash bins existed, they always appeared full. It occurred to me that they were not being emptied on a routine basis.

The bathroom in the hospital room itself had the cleanliness level of one I would expect in a public space such as a welcome center or rest area. It had an odor, and the floor did not have the appearance of one that had been sanitized for quite some time. 

During my mother’s stay, we had to ask the staff to make a call to maintenance, for there was a persistent leak in the toilet’s plumbing that left a pool of water on the floor. This is where my mother had to shower during her stay. 

Sanitization and Microbe Control

ANY staff that enter or exit a patient's room must be thoroughly adapted to sanitizing their hands with the antimicrobial lotion at the entranceway to the patient's room. I witnessed so many times where they did not. Further, I encountered a number of dispensers empty at this same hospital. 

Restaurant / Cantina Outlets and Nutrition / Food

There was a Blimpie's onsite, and although I know that this is subcontracted on a consignment basis in the hospital, the staff and corresponding service was horrible. There was one gentleman that was working there that in my own opinion, had the appearance as though he had been using drugs a great deal, or perhaps even was still under the influence of drugs. 

This restaurant was staffed with one (1) active employee, and I truly had to stand in line for a sub for every bit of a half an hour. On this occasion, I was the only patron waiting to be served. 

As far as admitted patient nutritional services is concerned, I can safely say that not one meal was served on time; not even close. 

On one occasion, the Nutrition department called my mother on her room phone and asked her what she wanted. They completely ignored every request she made, including bringing things she did not want and denying her meal elements that she did - elements that were made available to her during the call.  

Customer Service Atmosphere

As a general experience, I found that a few of the caregiver staff were excellent, while some were downright corrosive. On two separate occasions, one coordinator on this floor was taking attitude with my mother and quickly lost patience with her. My mother was simply upset and not getting answers. This coordinator could not provide any, but felt that it was more important to quell my mother's insistence on getting some. Another supporting staff member literally yelled at my mother's fellow patient / roommate, explaining to her that she could not leave her bed under any circumstances. The reason that this patient was leaving her bed was to acquire an additional blanket. This poor woman had asked nursing staff for one over the intercom almost 20 minutes prior. This happened to our neighbor on a couple of different occasions.

Some members of the care team appeared to walk around the wing with a chip on their shoulder, while select others had the most awesome attitude and were extremely friendly. The staff with excellent attitudes were not the norm. 

Nursing and Support Staff / Workflow Challenges

There is a built-in automation scheduling software and alert system that is visible in the patient rooms. It is a wall-mounted kiosk device. It often would trigger when medicines were due to be administered, as well as meal delivery. They often went ignored, and finally, after anywhere from 30 minutes to an hour to two hours later, support staff would show up to deliver and otherwise perform that scheduled event. 

It appeared to me that contributing factors to this was the missing level of cohesiveness between various care teams. 

Security

I personally walked right through the parkade, around the long way, to the front door, carrying a large black gym bag. In this gym bag were some toiletries for myself and a change of clothes. I then got on the elevator and took it to the 2nd floor. I continuously follow topics on security, both cyber and physical; the ability to walk unchallenged into a hospital carrying a bag that could have *anything* in it scares me to no end. Stories in the media about various threats to institutions like this never seem to end. Having served in the Marines, and later working in information assurance and security, I have found myself in constant attack / defend mode. It has made me immediately think of the worst possible scenario.

I routinely went outside to get fresh air with my brothers and sisters as we took turns visiting. I saw security so infrequently that I figured there was none. This isn’t fair to the people waiting there to heal, and just as importantly, could be a serious liability for your organization. 

At the entranceway of the hospital is a fully-functional security desk and information center that was unstaffed the entire time.  

In Summary

In academic terms, I feel that my mother’s overall experience at this hospital was a “D”, or maybe a “C-“, neither of which align with your organization's philosophy for patient care. I thought that it would be best to address this with you directly, so that you have the opportunity to effect change more efficiently. I have no interest in making trouble for your organization to any degree; rather, to lend a helping hand to a fellow enterprise in the medical industry in the hopes that this helps patients.

One of the things that I have ingrained and constantly reinforce to our site/location managers, is that all of these things are not a checklist or “get-it-done” process. It is a way of doing business, and doing it every day. As you know, Your organization owns just under 300 hospitals and surgical centers across the country, and think that surprise, unannounced, informal multi-function / multidisciplinary audits like mine could go a long way in helping your organization manage risk, especially as it pertains to medical care and compliance with various governance. 

Further, I am sure that your organization has its own regulatory and compliance team that is tasked with these responsibilities; I would strongly recommend forming an independent team that conducts these audits. They should be random, unannounced, regular, and in an almost undercover fashion. 

In closing, please simply confirm that you received my letter. My goal is simply to relay our experience to your leadership team, and hope that it helps effect change. If you have any additional questions, please don’t hesitate to contact me.

Sincerely,

W. Aaron Gregory

{that is the end of the letter}

My Thoughts

Why would medical caregiver staff behave this way? How could a medical care facility let any one of their patients leave with this experience? How could a covered entity not have the focus on cybersecurity and ePHI safeguards that they should?

This is just a rant of mine, shooting right from the hip.

Many organizations from the newest graduate/new hire, on up to the executive leadership and shareholders are plagued with a special kind of enterprise indifference. I think that this indifference comes from many different things:

"It won't happen to us."

Yes, actually, it will. And is. Although the number of occasions that HHS OCR has documented patient health record exposure and breaches in 2018 (according to some sources) have decreased, the fines have crept upward. The average percentage of revenue spent on payroll ranges from 30-50 percent. What will a $2.4M fine do to your company?

Cybersecurity is a huge topic, and occupied a landmark percentage of discussions at this year's HIMSS conference. Why is cooperation from employees sometimes so challenging? Some may think it is because they do not have skin in the game.

"I've been here for 20 years; that is how we have always done it."

These employees are truly the most dangerous. Because of the sometimes emotional attachment levied on long-term employees, coupled with the fact that they have never worked for any other employer in their lives, they need help. They need help understanding that the rest of the world is changing around them. It is the year 2019. Phrases like "that's not my job", or "I don't do email" must really be relegated to the rubbish container.

This comes in many forms. Employees in certain departments can truly keep a process or an improvement to that process hostage. Extremely manual processes guarded and protected for the sake of job security. Old, unsupported software or systems. These employees have their own agenda at heart; not the organizations. Are they a gold mine, or a land mine?

"The Board / Management Team will never go for that!"

How do you know? Have you made a business case? Have you conducted a cost-benefit analysis? Have you made a proposal? Do not blame all of the organization's maladies on the board or management team. Don't assume. You know what "assuming" does. Stop blaming executive leadership for everything. Executive leadership is depending on you to make things happen. Not once have I heard an executive or otherwise higher-level management figure say "I am going to do whatever I can to stymie employee progress or organizational improvement!". Chances are, neither have you.

"Mary doesn't like to do it that way."

Well, I am afraid Mary should pursue employment elsewhere, unless she's ready to conform to standard operating procedures. Patients are our customers, and recent government guidance and rules are starting to make that a bit more clear.

"The pay is not that great."

Everyone has options, so pursue them: one of those options is simply this: become noteworthy. I have personally watched employees climb the ladder quickly, because of their personal drive and commitment. It is not an excuse for employees to aim for mediocre, nor is it an excuse for management to feel sorry for employees and let them off the hook.

"I can't get my staff to listen."

Maybe you need to make some changes. To your staff; the way you communicate; your workflow, etc.

Thanks for reading! I call on your feedback: how have you solved some of these challenges or addressed these issues?