The aide discovered the exposed records during a January 27 inspection, when investigators found a report sheet containing health information for two residents sitting uncovered on the medication cart in the first-floor north hallway at 12:35 PM.
When confronted about the violation, the aide confirmed the form contained resident information but said the nurse on duty had left for lunch. The aide admitted uncertainty about whether the report should be placed where others could see it.
Fifteen minutes later, the Director of Nursing acknowledged the privacy breach. She confirmed the report form contained resident information and should not have been visible on the cart. The facility's Assistant Administrator later told inspectors that resident records with medical information should never be visible to other residents or visitors.
All records should be covered to maintain privacy, the administrator said.
The exposed information belonged to two residents with complex medical conditions. One patient had been admitted with primary osteoarthritis, type 2 diabetes, acute and chronic respiratory failure with hypoxia, insomnia due to mental disorder, acute bronchitis, gastro-esophageal reflux disease, anemia, hyperlipidemia, bipolar disorder, depression, polyneuropathy, essential hypertension and atrial fibrillation.
The second resident's diagnoses included heart failure, pneumonia, atrioventricular block, type 2 diabetes, essential hypertension, hemiplegia and hemiparesis following cerebral infarction affecting the left non-dominant side, chronic obstructive pulmonary disease, muscle weakness, abnormal posture, and dysphagia.
Both residents' complete medical histories were visible to anyone walking through the hallway.
The facility's own policy, outlined in the employee handbook, explicitly prohibits such exposure. The policy states that the facility treats resident medical and health information as confidential in accordance with federal HIPAA regulations and the Privacy Rule.
Employees must not use or disclose protected health information in any manner that would violate the Privacy Rule, according to the handbook. The policy warns that any employee found to have violated HIPAA will be subject to disciplinary action, up to and including immediate termination.
Yet the Assistant Administrator revealed a significant gap in training and oversight. The facility's only HIPAA policy exists in the employee handbook, with no additional privacy protocols or training materials.
The violation occurred during a complaint investigation, suggesting someone had already raised concerns about privacy practices at the facility. State inspectors classified the harm level as minimal, but the breach affected two of eight residents reviewed for privacy protections.
The incident highlights a basic failure in privacy safeguards. Medical records left on hallway carts become accessible to other residents, family members, visitors, and unauthorized staff. The exposed information included sensitive psychiatric diagnoses, chronic conditions, and detailed medical histories that federal law requires facilities to protect.
The Privacy Rule requires nursing homes to maintain strict confidentiality of medical records and other health information. Facilities must define and limit when and how protected health information may be used or disclosed. Leaving detailed medical reports uncovered in public areas violates these fundamental requirements.
The aide's confusion about privacy requirements suggests inadequate staff training on HIPAA compliance. Certified nurse aides handle medical information daily and must understand basic privacy protections. The fact that this aide questioned whether records should be visible indicates systemic training failures.
The Director of Nursing's acknowledgment that the records should not have been visible confirms the facility knew the correct procedures but failed to implement them. This gap between policy knowledge and practice creates ongoing risks for resident privacy.
The timing of the violation, during the lunch hour when the responsible nurse had left, points to inadequate supervision and handoff procedures. Medical records should remain secure regardless of staffing transitions or break schedules.
Federal inspectors documented the privacy breach as part of a broader review of resident rights protections. The facility failed to ensure resident privacy for medical records, a fundamental requirement under both federal nursing home regulations and HIPAA privacy rules.
The violation affects residents' trust in the facility's ability to protect sensitive information. Medical records contain intimate details about health conditions, treatments, and personal circumstances that residents expect to remain confidential.
Nexus at Berwyn operates at 3601 South Harlem Avenue in Berwyn. The facility's privacy failures occurred despite having written policies requiring confidentiality protections and threatening termination for HIPAA violations.
The inspection found that staff uncertainty about basic privacy requirements, combined with inadequate oversight during routine operations, created conditions where resident medical information could be exposed to unauthorized individuals walking through the facility's hallways.
Full Inspection Report
The details above represent a summary of key findings. View the complete inspection report for Nexus At Berwyn from 2026-01-30 including all violations, facility responses, and corrective action plans.