The trusted source for
healthcare information and
Hospital changes ID requirements after fake staffer works in the ED
Staff must be diligent, even when it's inconvenient
A Florida hospital has significantly strengthened its policies requiring proper identification for all staff in response a recent incident in which a woman was able to impersonate to an emergency department staff member. Risk managers and security experts suggest that other hospitals take the opportunity to reinforce the lessons learned from the incident before a similar incident happens again.
Spokeswoman Lisa Patterson at St. Joseph's Hospital in Tampa, FL, confirms that the woman escorted patients and visitors from one area of the department to another. She was asked to take a patient's blood pressure, but she was relieved from that responsibility when it became apparent that she was not accustomed to the equipment. She later was asked to prepare a patient for testing, but she also was unable to accomplish this task. Again, she was relieved from the duty.
"These observations led staff to believe the woman was too new at the job to be involved directly with patients, so she was then asked to simply observe a patient care technician at work," according to a statement released by the hospital. "Patient care was not compromised during this time. The woman made no medical decisions and had no access to computerized medical records or medications."
In response, the hospital has emphasized the importance of proper identification to staff members and encouraged them to question anyone who seems out of place.
"We revised our policy to include specific details about the process of obtaining a temporary badge and the consequences of not bringing your badge to work," Patterson says. The consequences include disciplinary action that can vary depending on the nature of the incident and how often the employee has violated the policy in the past. (See box below for more on how the hospital responded.)
|Hospital ramps up policies on ID after bogus ED worker
St. Joseph's Hospital in Tampa, FL, has significantly strengthened its policies requiring proper identification for all staff in response to a recent incident in which a woman was able to impersonate an emergency department staff member.
Hospital spokeswoman Lisa Patterson says the hospital's investigation determined that the impostor did not have a hospital badge, but she explained she had lost it and was replacing it the next morning. The impostor was familiar with the emergency department, aware of hospital processes, and wore scrubs, Patterson says.
In response to the incident, the hospital took these steps:
The impostor was trespassing and posed a threat to patient safety and confidentiality, Patterson notes. She says the hospital announced it was investigating legal options for prosecuting trespassers as a way to discourage anyone from trying to sneak in for media attention as a result of the impostor story.
The incident occurred March 5, 2007, when a woman who had been a patient in the ED at St. Joseph's returned there at 9 p.m. wearing scrubs and claiming to be a temporary worker. Although she had no ID badge, staff accepted her story that she had lost it and she was allowed to enter the ED and worked for 10 hours as a patient care technician. Apparently, her familiarity with ED lingo and the layout of the department helped convince the staff she was who she claimed to be.
The situation was absurd, says Grena Porto, RN, MS, ARM, CPHRM, senior vice president with Marsh, an insurance broker and risk management consulting company in Philadelphia, and past president of the American Society for Healthcare Risk Management (ASHRM). "This incident makes you think of a Marx Brothers movie," she says. "First of all, if you don't know someone you can't just say, 'Oh well, you lost your badge' — especially in the ED, where you have a lot of people coming and going."
You must be able to verify staff
Porto notes that it is not unusual for someone legitimate to show up and not be known to the staff — especially in a large hospital. "But having said all of that, you still have to have some process," she says. "We have to be able to verify who you are or send you home."
Photo ID is best, she says, because anyone can simply give the name of an employee. Anyone who shows up and does not have valid ID should be deemed not ready for work, Porto says. However, she concedes that there is no need to take that rule to a ridiculous extreme. "If one of my nurses I know on sight does not have their ID, and I am a nurse manager and need nurses, they might not go home," she concedes.
The issue of someone masquerading as a hospital employee is not unusual, Porto notes, which makes it even more important for ED managers to have strong policies in place. The biggest problem is doctors, who often do not have photo IDs, she says. They may walk in and start reading a patient's chart, but everyone is afraid to question them.
Emphasize training, not just technology
Tim Dimoff, a former police detective and SWAT team member who founded SACS Consulting, a security services company in Akron, OH, says the ED staff's quick acceptance of the impostor is troubling. The bottom line, he says, is that no matter how elaborate your identification process, the whole effort comes to nothing when your staff are so nonchalant that they just wave a person through when she says she doesn't have her badge.
Staff must be trained to take a hard stance in such a situation, no matter how inconvenient it is to either party, and they must not be afraid of hurting someone's feelings, Dimoff says. The weak point in any security system always is the human being who doesn't follow policies and procedures, he says.
"You can put in the greatest technology in the world, and you can write policies and procedures that look absolutely foolproof on paper, but they always depend on someone doing the right thing," Dimoff says. "If that person decides at that moment that he or she can just forget it all and do what they think is OK, it all falls apart."
A hospital's badging process must be sacrosanct, says Ron Morris, senior director of Protective Services at Cincinnati Children's Hospital Medical Center. Hospital policy must require that identification badges be worn at all times, and there must be zero tolerance for those without badges, he says. At his hospital, a staff member who shows up without a badge is directed to the security office, where the identity is confirmed and another badge is issued. A $10 lost badge fee is charged to the employee. On evening shifts, the badge cannot be replaced immediately; thus, the staff person must have his or her identity confirmed by managers on duty, and the incident will be reported to security the following day.
"Our badges can have cash value applied to them for use in the cafeteria and other areas in the hospital, and they are required for access to the parking garage as well," he says. "We've found that those features make the badge even more valuable to the staff member and encourage them to have it with them at all times." (Editor's note: The badges are from Matrix Systems Integrated in Dayton, OH.)
Personnel errors were root cause
As is so often the case in health care risk management, failures of corporate compliance are caused less often by policies than by people's failure to follow them, says James M. Jacobson, partner and co-chair of the health law and life sciences team at the law firm of Holland & Knight in Boston. This is a perfect example, he says.
"It appears that the hospital had appropriate security procedures and policies in place, such as a system of authentication, including badges and a procedure for checking them," Jacobson says. "Very likely, that system would have required reporting to a supervisor or administrator of the ED if a staff person did not meet security requirements. It appears that no one reported it."
The take-home lesson is that the best polices and procedures in the world aren't enough without ensuring that staff members adhere to them, Jacobson says. The solution is training, enforcement, and auditing. "First, hospital compliance officials should ensure that security is part of their corporate compliance training, and that training is repeated regularly and every time a new employee starts work," he says. "Second, when policies are not followed, there should be clear consequences for the staff who fail to follow them. In this case, that might be as simple as a weekend inservice training on hospital security policy, perhaps without pay."
In the most egregious cases, the response could be termination, Jacobson says.
No room for hurt feelings
A. Kevin Troutman, JD, an attorney with the law firm of Fisher & Phillips in New Orleans who assists hospitals with risk management projects, agrees that risk managers should clamp down on identification policies. Fortunately for St. Joseph's Hospital, the impostor apparently meant no harm, he says, but consider the ramifications if she wanted to gain access so she could harm patients or staff.
"The recent shootings at Virginia Tech remind us that we live in a society where security and controlled access can be paramount," Troutman says. "Safety and security is just not being emphasized enough, especially in these situations where you have the ability to stop people, check ID, and say, 'No, you can't come in.' When you have that process in place and people just don't follow it, that's inexcusable."
The St. Joseph's staff should have referred the woman to supervisors who could confirm that she was who she claimed to be, he says. "People have to be willing to act instead of just assuming someone else is handling it, or assuming that somebody knows what's going on," Troutman says. "You have to be willing to inconvenience that person, or inconvenience yourself if you need the employee working. If you're afraid to hurt someone's feelings or make them do what they should do, you're just asking for trouble."
For more information on preventing impostors in health care facilities, contact: