BAKERSFIELD MEMORIAL HOSPITAL

Report ID: 5LV111, California Department of Public Health

Reported Entity: BAKERSFIELD MEMORIAL HOSPITAL

Issue:

Based on interview and record review, the hospital failed to protect a patient's medical record, which contained protected health information, from an unauthorized person without the patient's consent. Findings:During an interview with the Director of Risk and Compliance (Dir Risk), on 10/11/11, at 11:50 AM, she stated: "Patient 1 called on 9/21/11 and reported that Staff 1 looked into his medical record after a visit on 3/13/11 to the emergency room." Investigation demonstrated that Staff 1 accessed Patient 1's medical record on 3/13/11. "Staff 1 is a hospital coder, but didn't code Patient 1's chart. She had no reason to access the record." During a review of the employee file for Staff 1, she had yearly training for Health Insurance Portability and Accountability Act (HIPAA) and was re-educated and tested on 9/28/11. During an interview with the Dir Risk, on 10/11/11, at 12:05 PM, she stated: "Patient 1 has left multiple messages...it's a personal problem between the two...he wants her (Staff 1) fired." The hospital report titled "Access by a Specific User/Patient" generated on 9/21/11 at 7:23 PM, indicated Staff 1 accessed Patient 1's medical record on 3/14/11 at 8:27 AM. The hospital HIPPA Memoranda Attestation Form regarding HIPAA Education-Privacy and Data Security indicates "PHI (Protected Health Information) cannot be accessed by an employee...unless you have a legitimate business purpose and to do your job." The hospital policy and procedure titled "Network Usage Policy" dated 12/18/09, indicated "G. Prohibited Uses of the Network: 6. Accessing or disclosing Confidential Information...that is not within the scope of the User's related duties and responsibilities..."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights