Good Samaritan Hospital

Report ID: XB7411.01, California Department of Public Health

Reported Entity: GOOD SAMARITAN HOSPITAL

Issue:

Based on interview and record review, the hospital failed to protect the patient's rights for confidential treatment for Patient 1, when a staff registered nurse (RN A) accessed her family member's (Patient 1) electronic medical record. The failure resulted in unauthorized access of Patient 1's medical record. Findings:The California Department of Public Health received an online report on 9/3/14, which indicated RN A accessed Patient 1's medical record on 8/13/14, without a written authorization or a job related reason.During an interview on 1/13/15 at 12 p.m., the facility privacy official (FPO) stated a computer audit report indicated RN A had accessed Patient 1's medical record on 8/13/14 and viewed her cardiology reports. FPO stated Patient 1 had been living with RN A. RN A had brought Patient 1 to the emergency department (ER), and Patient 1 was later admitted to the hospital. FPO stated when Patient 1 was admitted, she had given RN A permission to talk with the doctors about her condition and on her behalf, since English was Patient 1's second language. FPO stated RN A usually accompanied Patient 1 to her doctor's appointments and helped interpret. FPO stated after Patient 1's ER visit, she still had some questions about the tests, so RN A looked them up. FPO further stated there was not a written authorization. During an interview on 1/15/15 at 11:30 a.m., RN A stated she had taken Patient 1 to the ER in July 2014, and some tests were performed. RN A stated she helped translate since English was not Patient 1's first language. RN A also stated she usually accompanied Patient 1 to her doctor's appointments to translate, and RN A had verbal permission to accompany Patient 1. RN A stated since she had permission to accompany Patient 1 to her doctor's appointments, then she had permission to look up her test. RN A further stated she was using Patient 1's test to help her get used to navigating in the computer, and she did not look at the test. RN A stated she did not have a job related reason to look at Patient 1's medical record. RN A stated she stopped looking at Patient 1's medical record because she was not sure if she had the right to look at it. Review of a copy of a letter dated 9/3/14 from the hospital to Patient 1 indicated Patient 1's protected health information (PHI), including her cardiology reports, had been disclosed to RN A without a job related reason. Review of a copy of a computer audit indicated Patient 1's cardiology reports, which included her electrocardiogram (EKG, a test to check the electrical output of the heart) report, were accessed by RN A on 8/13/14. Patient 1's EKG report indicated her name, date of birth, age, sex, admission and discharge dates, location in hospital, primary care physician's name, service date, test reason, and test results were disclosed.Review of the hospital's 5/1/08 "Minimum Necessary" policy indicated only workforce members with a legitimate "need to know" may access patient information. Each workforce member may only access the minimum information necessary to perform his or her designated role. Review of the hospital's 4/7/10 "HIPAA - Protected Health Information for Employee's Family Members or Friends" policy indicated employees with access to protected health information of family members or friends must treat the patient's information as they would any other patient who is not known to them personally.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Related Reports:

1 other violation reported on the same date. Note that other citations may be about the same event: Y4SL11.01