SAINT AGNES MEDICAL CENTER

Report ID: I92F11, California Department of Public Health

Reported Entity: SAINT AGNES MEDICAL CENTER

Issue:

Based on staff interview and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential for 4 Patients (Patients 1, 3, 4, and 6) when:1. Patient 1's discharge paperwork was given to patient 2 in error (refer to CA00390357);2. Patient 3's insurance claim form was sent to an incorrect address by the hospital's billing office, (refer to CA00390569);3. Patient 4's itemized bill was mailed to patient 5 in error, (refer to CA00391260);4. Patient 6's itemized Emergency Medical Service (EMS) report was given to Patient 7 in error. (refer to CA00391291).These failures resulted in not protecting the Patients PHI and had the potential for the unauthorized use of that information. Findings: CA003903571. On 3/7/14 at 10:00 a.m., during an interview, the Privacy Officer stated that on 3/1/14, Patient 1's discharge paper work was inadvertently provided to Patient 2 during the discharge process. Emergency Room staff did not double check the patient identification on the discharge papers before giving them to Patient 2. The discharge paper work contained the following PHI: Patient 1's name, date of birth, medical record number, account number, and lab services ordered, but no lab results. The facility policy and procedure titled " Privacy and Confidentiality Policy" dated 9/17/09, indicated: "The [Hospital] recognizes the importance of safeguarding and valuing the privacy of all patients' confidential information. Access and distribution of confidential information is limited to authorized individuals in the performance of normal job-related functions. Accessing, distributing, or using confidential information for any purpose other them performing normal job-related functions is a violation of privacy and confidentiality. Information should be provided only to those with the need to know in order to perform their job." CA00390569 2. On 3/7/14 at 10:00 a.m., during an interview, the Privacy Officer stated that on 2/24/14, the billing department mailed a claim form with Patient 3's PHI to an incorrect address. The billing clerk did not double check the address of the patient prior to sending the claim form. The claim form contained the following PHI: Patient 3's name, date of birth, address, telephone number, insurance ID, insurance group, name of the insurance, physician's name, hospitalization dates, diagnosis codes and the charges billed. The facility policy and procedure titled "Privacy and Confidentiality Policy" dated 9/17/09, indicated: "The [Hospital] recognizes the importance of safeguarding and valuing the privacy of all patients' confidential information. Access and distribution of confidential information is limited to authorized individuals in the performance of normal job-related functions. Accessing, distributing, or using confidential information for any purpose other them performing normal job-related functions is a violation of privacy and confidentiality. Information should be provided only to those with the need to know in order to perform their job." CA003912603. On 3/7/14 at 10:05 a.m., during an interview with Staff 1 (Privacy Officer) stated that on 2/21/14 a copy of the itemized bill for patient 4 was mailed to patient 5 in error by the billing office clerk. The billing office clerk did not double check the address prior to sending the itemized bill.The itemized bill contained patient's 4 demographics, name, account number, address, insurance information, description of services, total charges and payments on account. Documents were retrieved from patient 5 and a certified letter with return was sent to patient 4. The facility policy and procedure titled "Privacy and Confidentiality Policy" dated 9/17/09, indicated: "The [Hospital] recognizes the importance of safeguarding and valuing the privacy of all patients' confidential information. Access and distribution of confidential information is limited to authorized individuals in the performance of normal job-related functions. Accessing, distributing, or using confidential information for any purpose other them performing normal job-related functions is a violation of privacy and confidentiality. Information should be provided only to those with the need to know in order to perform their job." CA003912914. On 3/7/14 at 10:05 a.m.,during an interview, the Privacy Officer stated that on 9/14/13, the Health Information Department provided a copy of the EMS report of Patient 6 to Patient 7.The Health Information Department did not double check the name on the EMS report prior giving a copy to Patient 7. The itemized EMS report contained the following PHI: Patient 6's name, date of birth, address, age, telephone number, diagnosis, medical record number, account number, and date of service. The facility policy and procedure titled "Privacy and Confidentiality Policy" dated 9/17/09, indicated: "The [Hospital] recognizes the importance of safeguarding and valuing the privacy of all patients' confidential information. Access and distribution of confidential information is limited to authorized individuals in the performance of normal job-related functions. Accessing, distributing, or using confidential information for any purpose other them performing normal job-related functions is a violation of privacy and confidentiality. Information should be provided only to those with the need to know in order to perform their job."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights