Mercy Medical Center

Report ID: HM8211, California Department of Public Health

Reported Entity: MERCY MEDICAL CENTER

Issue:

Based on staff interview, clinical record and administrative document review, the facility failed to keep Protected Health Information (PHI) confidential when Patient (Pt) 1's Patient Plan (a document summarizing a patient's clinic visit) was given to the mother of Pt 2.This failure placed Pt 1's PHI at a potential risk for unauthorized use.Findings:On 1/12/15 at 2:10 p.m., during an interview, the Facility's Privacy Officer (PO) stated, on November 17, 2014 at 1:30 p.m., Patient (Pt) 2's mother returned the "Patient Plan" for Pt 1, when she realized it had another patient's name on it. The PO stated Pt 2's mother was given Pt 1's "Patient Plan" in the Family Care Clinic by the Licensed Nurse (LN 1). The PO stated LN 1 did not check the printed patient identifiers or follow the policy for safe guarding of Protected Health Information (PHI) before handing the papers to Pt 2's mother. The PO stated Pt 1's mother was notified of the breached PHI in a letter mailed on 11/20/14. The PO stated Pt 1's breached PHI included the admitting diagnosis, medications, and vital signs. The facility policy and procedure titled, "Safeguarding of Protected Health Information and Sensitive Information," dated 11/14, indicated, "POLICY: [The facility] will comply with HIPAA and other federal and state laws governing protection of confidential health information. GUIDELINES: P. When providing copies of discharge instructions or other copies of sensitive information to a patient or patient representative: 1. Nursing and Medical staff shall verify that the correct printed name and information is on all pages being provided, prior to handing the pages over."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights