QUEEN OF THE VALLEY MEDICAL CENTER

Report ID: SLLZ11.01, California Department of Public Health

Reported Entity: QUEEN OF THE VALLEY MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to prevent intentional unauthorized access and disclosure of Patient 1's medical information when Patient 1's electronic medical record was intentionally accessed by unauthorized facility staff. This failure allowed the possible unlawful or unauthorized use of some of Patient 1's protected health information.Findings:The California Department of Public Health was notified, on 4/12/11, that an intentional breach of protected health information occurred between 4/4/11 and 4/6/11.Patient 1 was admitted to the facility, on 4/4/11, intubated and unresponsive.During an interview on 11/2/12 at 4 p.m., Administrative Staff A stated that, on 4/6/11, he became aware that facility staff, who were not responsible for Patient 1's care, knew too much about Patient 1's PHI and determined that Patient 1's electronic medical record had possibly been accessed by unauthorized facility staff. Administrative Staff A also stated that subsequent investigation determined that Licensed Staff B, Licensed Staff C, Unlicensed Staff D, and Unlicensed Staff E, all of whom had worked together, with Patient 1, for many years at the facility, had intentionally and inappropriately accessed their friend's PHI contrary to facility policy and procedure and their orientation information when hired.During an interview on 12/12/12 at 9 a.m., Licensed Staff B stated that, "[Patient 1] was a friend and a colleague...and I entered the computer system to see why she was in the Intensive Care Unit...It was an impulsive decision since regretted".During an interview on 12/12/12 at 10:10 a.m., Licensed Staff C stated that, "I was going on pure emotion mode, was close to the family, and did not think".During an interview on 12/12/12 at noon, Unlicensed Staff E stated that, "I was not thinking. I was concerned about my friend and looked at her record without malice".A review of the facility Policy and Procedure for "CONFIDENTIALITY" (2/3/11 ) reveals the following: "3.0 POLICY The protection of confidential, sensitive, and proprietary information is of critical importance to the facility, its work-force, and its patients. In addition, the safeguarding of patient information from unauthorized, inappropriate, and unlawful use and disclosure is required by law and is consistent with the values of [the facility]. Employees are required to follow all policies and procedures and the facilities Standards of Conduct regarding use and disclosure of business patient information, and to comply with all safeguards applicable to the employee's work area and the employee's scope of duty in order to ensure that business and patient information is safeguarded at all times..1.1.2 The employee will only use and disclose that patient information that is minimally necessary in order to accomplish the intended purpose of the use or disclosure..1.1.3 The employee will follow all [facility] policies and procedures and [the facility's] Standards of Conduct and take all precautions to prevent any intentional or unintentional use or disclosure of any trade secrets or confidential information about the facility, its employees, and its programs".A review of [the facility] Corporate Responsibility Program Handbook (Employee Compliance Handbook-v 4.9) reveals the following: "All medical records and any other information that has the potential to identify an individual, in any form, wether electronic, on paper, or oral is considered protected health information ("PHI"). This includes any information that relates to the past, present, or future physical or mental health or condition of an individual (patient); that care has been provided to an individual (such as whether or not the individual is at the hospital receiving treatment or has been in the hospital)...Avoid unnecessary discussions about patients outside of treatment rooms, elevators, reception areas or any other room used by the general public...The patient must authorize the use and disclosure of their health information for any non-routine disclosures and most non-health care related purposes...You may not access any medical record, including your own or family member unless it it required in order to perform your job".A review of the facility Policy and Procedure for "PROTECTED HEALTH INFORMATION, USE & DISCLOSURE: IMPROPER ACCESS OR USE, CALIFORNIA NOTIFICATION & REPORTING REQUIREMENTS" (11/1/11 ) reveals the following: "1.0 DEFINITIONS...Unauthorized The inappropriate access, review or viewing of patient medical information without a direct need for medical diagnosis, treatment, or other lawful use as permitted by the California Confidentiality of Medical Information Act...4.2 Notice to the Patient or Patient's Representative. [The facility] will provide written notification...to the affected patient or to the patient's representative at his or her last known address within five business days after the unlawful or unauthorized access, use or disclosure has been detected (sic). A patient has a "patient representative" if the patient is a minor or is an adult lacking the capacity to make health care decisions".

Outcome:

Fine imposed and deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

The report containing this deficiency also includes information about 3 other violations. Note that these may be related to the same event: SLLZ11.02, SLLZ11.03, SLLZ11.04

1 other violation reported on the same date. Note that other citations may be about the same event: 4RTM11.01