CLOVIS COMMUNITY MEDICAL CENTER

Report ID: YY0J11, California Department of Public Health

Reported Entity: CLOVIS COMMUNITY MEDICAL CENTER

Issue:

Based on staff interview, clinical record and administrative document review, the facility failed to protect confidential Patient Health Information(PHI) when:1. Patient 1's financial assistance form was mistakenly given to Patient 2 in the emergency department. (see CA00320740)2. Health information for Patients 3 and 4 was mailed out to an unauthorized residential home instead of the insurance provider. (see CA00321957)3. Patient 5's discharge instructions were given to Patient 6 upon discharge in error. (see CA00320405)4. Patient 7 was discharged with another patient's Lab results in error. These failures resulted in unauthorized access of confidential patient information. Findings:(Related to CA00320740)1. On 2/8/13 at 9 a.m., Privacy Officer (PO) stated on 7/30/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 1 mistakenly gave Patient 1's financial assistance form to Patient 2 while in the emergency department. The PO stated it was Staff 1's responsibility to ensure the correct financial assistance form with Patient 1's PHI was given to the correct Patient.On 2/8/13 at 9:05 a.m., the PO stated the financial assistance form contained Patient 1's name, address, date of birth, social security number, date of service, medical record number, account number. On 2/8/13 at 9:15 a.m., PO stated Patient 1 was sent a certified letter on 8/3/12 informing her of the breach.On 2/11/13 at 4:40 p.m. the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form."(Related to CA00321957)2. On 2/26/13 at 9:10 a.m., during an interview, the Privacy Officer (PO)stated on 7/27/12 at 9:23 a.m. she was notified by Patient 3's mother (the complainant) that she had received in the mail along with Patient 4's information a CMS 1500 claim form. The PO stated that both claim forms should have gone to Tricare not the home address. The PO stated that on 7/27/12 at 1 p.m., a courier retrieved and returned the documents to the privacy office.On 2/26/13 at 9:20 a.m., the PO stated that the employee had been spoken to and had been in training period. The PO stated that both Patient 3 and 4 had been notified of the Protected health information (PHI) inappropriately disclosed.The PHI disclosed included, patient name, address, date of birth, gender. account number, insurance information and guarantor related to the patients hospital visit.On 2/26/13 at 4:40 p.m. the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form."(Related to CA00320405)3. On 2/8/13 at 9 a.m., Privacy Officer (PO) stated on 7/30/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 1 mistakenly gave Patient 5's discharge summary instructions to Patient 6 in error upon discharge. The PO stated it was Staff 1's responsibility to ensure the correct discharge summary instructions with PHI was given to the correct Patient.On 2/8/13 at 9:05 a.m., the PO stated the discharge instructions contained Patient 5's name, date of birth, date of service, medical record number, account number, and confidential clinical information pertaining to the day of surgery. On 2/8/13 at 9:15 a.m., PO stated Patient 5 was sent a certified letter on 8/3/12 informing her of the breach, but was returned back unclaimed.On 2/11/13 at 4:40 p.m. the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form."(Related to CA00325646)4. On 2/8/13 at 9 a.m., Staff 1 (Privacy Officer) stated on 9/10/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 2 (Registered Nurse) mistakenly gave Patient 7's Lab report to the wrong patient's parents upon discharge. Staff 1 stated it was staff 2's responsibility to ensure PHI was given to the correct Patient.On 2/8/13 at 9:05 a.m., Staff 1 stated the Lab report contained Patient 7's name, gender, date of service, medical record number, account number, and Lab result pertaining to her emergency room visits, and confidential clinical information. On 2/8/13 at 9:15 a.m., Staff 1 stated Patient 7 was sent a certified letter on 9/14/12 informing her of the breach but was returned back unclaimed.On 2/11/13 at 4:40 p.m. the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights