SAN FRANCISCO GENERAL HOSPITAL

Report ID: EK8W11.04, California Department of Public Health

Reported Entity: SAN FRANCISCO GENERAL HOSPITAL

Issue:

Based on interview, tape recordings, and record review, the hospital failed to maintain the confidentiality of Patient 1's protected health information (PHI - personal identifiers [name, medical record number, etc.], health status, care received, payment of services, demographics [age, gender, zip codes, etc.]) when:1. One staff member and three contracted Billing employees accessed Patient 1's Lifetime Care Record (LCR - medical record/electronic chart) without need or authorization and they reviewed confidential information in the LCR; 2. One contracted security person (SDS 16) discussed Patient 1's protected health information over the telephone with persons who had no need and no authorization to receive this information; and, 3. The contracted security personnel had not participated in annual training on their roles and responsibilities with regard to confidentiality, privacy and HIPPA (Health Information Privacy and Portability Act).Findings: 1. Patient 1 was a 57 year old woman admitted to the hospital on 9/19/13. Patient 1, who had periods of confusion, wandered off the nursing unit and was not located within the hospital or at home. This triggered a Missing Persons search by the local Police Department which was broadcast in newspaper and television reports. Patient 1's dead body was found in a stairwell of the hospital on 10/8/13 and this started more media coverage. This made Patient 1 a high-profile case. During an interview on 10/28/13 at 8:00 AM, the hospital's Privacy Officer (PO) stated that the hospital automatically does weekly computer audits on high-profile cases to identify potentially unauthorized access to the high profile individual's Lifetime Care Record (LCR). The PO went on to say that the audits identified four individuals who had accessed Patient 1's LCR without an obvious need to review Patient 1's clinical information.The PO went on to say that on 10/21/13 the audit report identified that on 10/18/13 a Registered Nurse (RN 6), who worked in the ICU (Intensive Care Unit), had accessed clinical notes and reports in Patient 1's LCR. The PO stated she spoke with RN 6 by telephone on 10/21/13, and RN 6 admitted that she had accessed Patient 1's LCR without need and without authorization because she (RN 6) "was curious."The PO continued her report and stated the audit indicated that on 10/10/13, a contracted Billing Manager, working for the Department of Anesthesia, had accessed Patient 1's LCR two times to review Patient 1's report notes and discharge summary. During her interview with the PO, the Billing Manager admitted that she had improperly accessed Patient 1's record because she "was curious."The PO went on to say that a contracted Billing Clerk, working for the Department of Anesthesia, accessed Patient 1's LCR reports and clinical notes on 10/10/13. The Billing Clerk told the PO that she was checking the LCR to see if there was a need to bill for Anesthesia Services. Patient 1 had never had any Anesthesia Services. The PO and the Billing Manager stated there was no need and no authorization for this Billing Clerk to access Patient 1's LCR.The PO continued that a contracted Billing Analyst, working for the Department of Neurosurgery, viewed Patient 1's clinical notes and discharge summary on 10/10/13. The Billing Analyst acknowledged that there was no need and no authorization for this access and stated that she (Billing Analyst) "was curious."Record review of the reports "Display Audit Log", dated 10/21/13, showed the dates and the areas of Patient 1's LCR which each of these four individuals had accessed.Record review of the hospital's Policy and Procedure titled "Health Information Services: Confidentiality, Security, and Release of Protected Health Information" dated 6/11, stated "It is the policy of (Hospital Name) to protect every patient's right to privacy. As a general guideline, all observations and/or communications regarding a patient's medical history, mental or physical conditions, and treatments are considered confidential. Protected health information may be released only for approved purposes, with proper authorization from the patient when required, and as permissible or required by federal or state law."Record review of documentation titled "Transcripts" indicated all four individuals had completed Compliance (HIPPA) and Patient Privacy and Information Security training modules - RN 6 on 5/22/13, Billing Manager on 5/15/13, Billing Clerk on 6/3/13, and Billing Analyst on 6/6/13.2. During an interview on 10/30/13 at 2:15 PM, the hospital's Risk Manager told the Survey Team that all calls to and from the contracted security dispatcher's telephone dispatch line were recorded. The Risk Manager said that this had been approved by senior officials at the security service but the information may not have been transmitted to all of the dispatchers. The Risk Manager reported that during the recordings on 10/8/13, the dispatcher on duty (SDS 16) made several calls to his wife and brother relaying protected health information about Patient 1. The Risk Manager stated that it was not clear if SDS 16 also telephoned other individuals and disclosed similar confidential information.On 10/30/13 at approximately 2:30 PM, the Survey Team listened to a tape recording of conversations to and from the dispatcher. On 10/8/13 during the evening shift (3:00 PM to 11:00 PM, the dispatcher (SDS 16) had multiple calls with persons who were not involved in Patient 1's care. During these calls SDS 16 discussed Patient 1's PHI with unauthorized persons. As examples, on 10/8/13 at 9:34 PM, SDS 16 was recorded saying "18 days later. Yep, she (Patient 1) had no eyeballs. We don't know where they went seriously...I saw a picture of her, she wasn't looking too good. Yeah, still in the same clothes they said she was in so that's how we know it was her. The media doesn't know that yet so keep that under your hat."On 10/8/13 at 10:03 PM SDS 16 was recorded saying to another individual "this lady (Patient 1) has dementia, she's all f__ up on meds, and she's even potentially suicidal."At the completion of the tape recordings, both the Risk Manager and the Director of Regulatory Affairs acknowledged that SDS 16 had disclosed Patient 1's protected health information to persons who had no need and no authorization to receive it.During an interview on 11/5/13 at 3:50 PM, SDS 16 was made aware that his dispatch calls on 10/8/13 had been recorded; SDS 16 said he was unaware that dispatch line was being recorded. SDS 16 said that he only talked with his wife and some relatives but he never told them anything that wasn't on television. SDS 16 stated the he had received confidentiality and HIPPA training but that it was more than one year past.During an interview on 11/6/13 at 3:28 PM, the Administrative Sergeant (SDS 44) for security staff stated that he was aware that the dispatch telephone line was recorded. SDS 4 stated this had been agreed upon by the hospital and the security services "years ago."The hospital was asked to provide the documentation indicating when SDS 16 had taken Confidentiality, Privacy, and HIPPA training. On 11/7/13, the Director of Regulatory Affairs stated SDS 16 had never participated in the hospital's training for Confidentiality, Privacy, and HIPPA.3. During an interview on 11/7/13 at 11:40 AM, the Lieutenant in charge of contracted security at the hospital (SDS 1) stated that when he assumed command of the security department in April 2012, he ordered the Sergeants to ensure that all Deputies and Dispatchers participated in the hospital's annual training.During an interview on 11/6/13 at 3:28 PM, the Administrative Sergeant (SDS 44) for security staff stated that he was aware of the hospital's requirement's for annual training for all contracted staff. SDS 4 stated that he was notified by the hospital of all security staff who were overdue with their training. SDS 4 stated the he e-mailed this list of overdue staff members to the Watch Commanders (Sergeants in charge of a specific 8-hour shift). During an interview on 11/6/13 at 1:45 PM, a contracted security Sergeant (SDS 3), routinely the Watch Commander on day shift, stated that he was responsible to ensure that all of the Deputy security staff and Dispatcher staff received annual hospital training for Confidentiality and Privacy, including a HIPPA review. SDS 3 stated he had completed his training in late 2012. SDS 3 stated he received regular reports from SDS 4 which showed which Deputies and Dispatchers were overdue for this training and he required them to attend.During interviews from 10/31/13 through 11/7/13, five contracted security personnel, SDS 9, SDS 10, SDS 11, SDS 15, and SDS 19, stated they were not aware of any hospital training requirements. Two other contracted security staff, SDS 8 and SDS 13, stated they received Privacy training from the Security Contractor but not from the hospital.In addition to SDS 1, SDS 3, and SDS 4, two other contracted security staff, SDS 6 and SDS 14, stated they participated in annual hospital training.Record review of the documents titled "Transcripts" dated 10/31/13, indicated that of the 38 contracted security personnel assigned to the hospital, only four had current completion dates for the training modules Compliance (HIPPA), Patient Privacy and Information Security. Of the 21 security personnel interviewed, only SDS 4 and SDS 20 had current completion dates.Review of an undated hospital's Staff Education Policy, (Policy Number 5.13) indicated, "The Department of Education and Training shall...2. Develop and implement an annual competency program that addresses identified needs in collaboration with the Performance Improvement and Safety Committee and is approved by the SFGH Executive Staff..."The Management Agreement between the Hospital and the Contracted Security Services, dated 10/16/02, stated all (security) personnel assigned to work at sites under (Hospital) control shall be subject to applicable (Hospital) policies and procedures, provided no such policy or procedure shall be construed to limit the authority of (Security) to exercise command and control of law enforcement and other public safety operations at such sites."Both SDS 1 and SDS 4 acknowledged that security personnel should participate in the Hospital's annual training activities.

Outcome:

Deficiency cited by the California Department of Public Health: PATIENT RIGHTS: CONFIDENTIALITY OF RECORDS

Related Reports:

The report containing this deficiency also includes information about 5 other violations. Note that these may be related to the same event: EK8W11.01, EK8W11.02, EK8W11.03, EK8W11.05, EK8W11.06