ARROWHEAD REGIONAL MEDICAL CENTER

Report ID: NGSD11.02, California Department of Public Health

Reported Entity: ARROWHEAD REGIONAL MEDICAL CENTER

Issue:

Based on interview, and record review, the facility failed to ensure the confidential treatment of protected health information for Patient B, when her discharge instructions and prescription were inadvertently given to Patient A upon discharge from the emergency room (ER). This placed Patient B at risk for identity theft, and placed both Patients A and B at risk for a reoccurrence of the health issue that brought them to the ER.Findings:An unannounced visit was made to the facility on March 13, 2014 at 3:30 PM, to investigate an entity reported incident of a breach of PHI for Patient B.During an interview with the facility privacy officer (FPO) on March 13, 2013 at 3:50 PM, he stated, "Patients A and B were being discharged from the emergency room (ER) on February 1, 2014. The nurse gave Patient A, the discharge instructions and prescription intended for Patient B. The breach was discovered when Patient A called the Patient Advocate on February 7, 2014 to complain about her bill, and received the wrong discharge instructions. I was not made aware until February 11, 2014. I called Patient A that same day, and requested that she return the discharge packet and prescription to the facility, which she did the next day."A review of the facesheet's and aftercare instructions for Patients A and B, indicated that they had not been seen for similar medical issues, and did not have similar discharge instructions as follows:a. Patient A was seen on January 31,2014, for a scalp laceration that required suturing, and alcohol intoxication. Her prescribed discharge instructions included how to care for the wounds, and follow up visit to have sutures removed, as well as, information on the treatment of alcoholism.shortness of breath related to Stage 4 lung cancer (metastasized). She was to receive a prescription for, "Z-pack" (an antibiotic).During the initial interview with the FPO on March 13, 2014 at 4:00 PM, he was not able to answer whether or not, the two patients had actually received the corrected discharge instructions.A review with the FPO of Patient B's information that had been given to Patient A, contained:" Patient B's name, date of birth, date of visit, medication, providers name, and address, account number, medical record number and her diagnoses of Stage 4 lung cancer."During a phone interview with the FPO on March 21, 2014 at 9:45 AM, he stated, "I was able to verify that both patients had received their correct discharge instructions, and that Patient B did receive her prescription and instructions when she was discharged from the ER. It was a registry nurse (an agency who provides temporary staffing) who had discharged the patients, but the Nurse Manager for the ER was able to talk to him."A review of the facility policy and procedure titled, "Information Management: Security Incident Procedures," dated April 2013, indicated in the policy statement, "It is the policy ...to protect the confidentiality, integrity and availability of information as required bylaw through the application of appropriate safeguards... All workforce members, business associates, medical staff and corporations contracted with the medical center to provide services...are required to comply with this policy and report."The facility failed to protect the PHI for Patient B when the nurse discharging Patient A did not verify the identity of the person he was giving information to, was the correct person which resulted in a breach of PHI.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Related Reports:

The report containing this deficiency also includes information about 1 other violation. Note that these may be related to the same event: NGSD11.01