PLACENTIA LINDA HOSPITAL

Report ID: W3G811, California Department of Public Health

Reported Entity: PLACENTIA LINDA HOSPITAL

Issue:

Based on interview and facility document review, the facility failed to prevent the disclosure of 14 patients' (Patient A, B, C, D, E, F, G, H, I, J, K, L, M and N) protected health information (PHI) to unauthorized individuals.Findings:1. Review of the hospital's investigation showed on 6/4/12, an inadvertent breach of Patient A's PHI occurred.On 6/5/12, a patient, who was discharged from the hospital's emergency department (ED) the evening of 6/4/12, discovered Patient A's discharge instructions were stapled together with his own discharge instructions and brought them back to the hospital.Patient A's disclosed PHI included name, reason for visit (diagnosis), physician's name and the post-discharge medication name.2. Review of hospital documents showed on 6/3/12, a breach of Patient B's PHI occurred.On 6/12/12, the hospital's investigation found a patient who was discharged from the hospital's ED was given their discharge documents with patient identification labels belonging to Patient B affixed to them.Patient B's disclosed PHI included name, date of birth (DOB), medical record number (MR#) and account number, physician's name and an initial indicating gender. 3. Review of the hospital's report showed another patient who had been discharged from the hospital's ED, on 6/7/12, was inadvertently given the Nursing Notes, Physician Notes and a medication form belonging to Patient C. The patient found Patient C's PHI attached to their own discharge forms.Patient C's disclosed PHI included name, DOB, MR# and account number, ED physician's name, chief complaint and home medications, triage assessment, medications administered in the ED and the admission order to the medical-surgical floor, physician assessment of condition and diagnoses.4. Review of hospital documents showed, on 6/16/12, the hospital was notified a breach of Patient D's PHI occurred.On 6/13/12, another patient was being discharged to a skilled nursing facility. On 6/16/12, a staff at the skilled nursing facility notified the hospital they found discharge instructions belonging to Patient D in the medical record of the patient they received from the hospital.Patient D's disclosed PHI included name, DOB, address and phone number, MR#, account number, encounter number, physician's name, five home medication names and the date of discharge.5. Review of the hospital's investigation showed a breach of Patient E's PHI occurred on 7/16/12.A representative from a medical group called the hospital's Admitting Department to report receipt of a fax in error. The hospital's Admitting Financial Counselor had followed instructions given by an insurance company for which medical group to fax Patient E's PHI.Patient E's disclosed PHI included name, DOB, social security number and address, phone number, encounter number and MR#, physician's name, insurance information and chief complaint for service.6. On 7/20/12, the Department was notified a staff of the hospital's contracted billing company inadvertently mailed the medical record belonging to Patient F to the wrong insurance company.Patient F's disclosed PHI included Admitting documents, Discharge Summary, Consultation Report and ED Nursing Notes, ED Physician Notes, Progress Notes and Physician's Notes, Operative Report, Laboratory tests & results, Pathology Report and Radiology results, nursing documentation on infusion therapy & monitoring of lines and patient vital signs.7. Review of the hospital's investigation showed a breach of Patient G's PHI occurred on 7/27/12.A staff in the Imaging Department accidentally auto-faxed Patient G's mammography report to the wrong physician. The correct physician had the same last name, but different first name. The incorrect physician was in the auto-fax system.Patient G's disclosed PHI included name, DOB, MR# and encounter number, date of exam, physician's name and test results.8. Review of hospital documents showed on 8/1/12, a patient was discharged from the ED and was mistakenly given a laboratory report belonging to Patient H.Patient H's disclosed PHI included name, DOB, MR#, encounter number and laboratory test results and values.9. Review of hospital documentation showed the medical record belonging to Patient I was inadvertently mailed to the incorrect insurance provider on 9/18/12.Patient I's disclosed PHI included the entire medical record. 10. On 9/20/12, the hospital reported a breach of Patient J's PHI occurred on 9/14/12.Review of the hospital documents showed on 9/14/12, Patient J's post-operative prescription was mistakenly given to another discharged patient. Both patients had the same medication prescribed post-operatively.Patient J's disclosed PHI included name, DOB, physician's name and medication name.11. Review of hospital documents showed, on 9/19/12, an audit of electronic medical records (EMRs) was done by the Director of Health Information Management. The Director discovered a staff member accessed the EMR of Patient K specifically for the patient's magnetic resonance imagery (MRI) and radiology results. The access to Patient K's EMR was inappropriate as there was no authorization allowing the staff (the significant other of the patient) to do so. Patient K's disclosed PHI included the results of both the MRI and Radiology tests.12. On 9/21/12, the Department was notified a breach of Patient L's PHI occurred.On 9/20/12, a patient discharged from the hospital was given Patient L's PHI in error. Included in the discharge papers given to the patient were two forms titled "An Important Message From Medicare About Your Rights" and "Belongings Tracking Record" which had the identification label belonging to Patient L. Patient L's disclosed PHI included name, DOB, MR#, encounter number and physician's name.13. Review of hospital documents showed a breach of Patient M's PHI occurred on 9/25/12.On 9/25/12, a Unit Secretary in the ED printed a medical record for a patient. However, another staff printed some of Patient M's medical record using the same printer. The Unit Secretary removed all the papers from the printer and faxed them to an organization. Patient M's medical record was inadvertently faxed with the other patient's medical record.Patient M's disclosed PHI included name, DOB, age and gender, MR#, encounter number and physician's name, medications ordered and laboratory results.14. Review of the hospital's investigation showed a breach of Patient N's PHI occurred on 10/16/12. On 10/17/12, the Health Information Management Director performed an audit trail and discovered inappropriate access into the electronic medical record (EMR) belonging to Patient N. Investigation showed an off-site corporate employee accessed Patient N's EMR. Further investigation showed an anesthesiologist, who was on Patient N's care team, inappropriately disclosed the patient's case to the off-site corporate employee, who then inappropriately and intentionally accessed the patient's entire EMR.Patient N's disclosed PHI included name, H&P, Consultation Report, and Operative Report, Progress Notes, Anesthesia Record and Nursing Notes, radiology results of abdomen x-ray, radiology results of pelvis computerized tomography scan and laboratory results and Report of Death.On 12/3/14 at 1100 hours, a conference with the Hospital Compliance and Privacy Officer confirmed the reported breaches occurred as documented.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280