ST MARY MEDICAL CENTER

Report ID: ZARM11.01, California Department of Public Health

Reported Entity: ST MARY MEDICAL CENTER

Issue:

Based on interview, and record review, the facility failed to ensure that Employee 1 did not use her position as a Labor and Delivery (L&D) Registrar, to access and take a screen shot with her smart phone, of her ex-husband's and daughter's insurance status. This resulted in unauthorized access and a breach (violation) of confidential health information (PHI) for both Employee 1's daughter and ex-husband, who had not authorized access to their records.Findings:On April 1, 2014 at 8:30 AM, a visit was made to the facility to investigate an entity reported incident involving Employee 1 accessing her ex-husband and daughter's insurance information without authorization.During the interview with the Director of Women's/Children's, conducted on April 1, 2014 at 8:40 AM, she explained how the breach occurred. She stated, "Employee 1 was working in post-partum as a unit secretary and went into the computer to the [name of insurance] website. She accessed her ex-husband's insurance, which contained his demographics, because she wanted to find out if her daughter was insured or not. The site contained the ex-husbands name, date of birth, insurance, social security number, address and who was eligible under that insurance. Employee 1 took a picture with her phone of the screen and sent it to his sister who had been the liaison since their divorce. The ex-husband filed a grievance."A review of the documented breach by Employee 1, indicated that the screen shot displayed the ex-husband's name, date of birth, member number and address. At the top the page listed, "Member is Eligible." A review of the daughter's document indicated that it contained the same information but at the top of the form, it indicated: "Member is Ineligible."During a phone interview with Employee 1 on April 4, 2014 at 10:00 AM, she was asked about the breach allegation. She stated, " It started at the doctor when I took my daughter for her physical for middle school. They asked for my secondary insurance. I gave them the card my ex-husband had provided, but when they ran it , they said that my daughter was not eligible. I contacted my sister-in-law who is our go-between, and asked her to clarify with my ex. My daughter overheard and told me, "Daddy isn't working. I'm not covered."During the same interview, Employee 1 stated, " I waited two weeks without any answer. We have shared custody and I was worrying that if something happened to her she wouldn't be insured. I have access in my job to verify insurance eligibility. There are sites for different insurances, so I looked her up, and it showed she was ineligible. [Used ex-husband's name]'s information was on there since he was the insured. I took a screen shot to send to my sister-in-law to show him. She kept insisting that he was insured which is why I printed both of of their insurance information to show her that his was good, but my daughter's was not.Employee 1 stated, "I know it had his information, but we were married for years so I had his Social Security number and the court had mandated I have his address. I was just so frustrated and worried about my daughter. My boss called me in and I admitted what I had done. I was suspended for three days and had to do another class on line for confidentiality. I would never do anything like that again. I've been there for 17 years, and never done this before. I'm so sorry. I was just so frustrated."During review of the facility policy and procedure titled, "Confidentiality," dated January 2012, under the section, "policy," indicated, "The employee will not use his/her access to patient health information, areas containing such information...for purposes other than those necessary to perform his/her job function."The failure of Employee 1 to follow the facility policy related to confidentiality, resulted in a breach due to the unauthorized access of her ex-husband's and daughter's PHI.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Related Reports:

3 other violations reported on the same date. Note that other citations may be about the same event: H5VT11.01, H5VT11.02, HG5X11.01