SAN RAMON REGIONAL MEDICAL CENTER

Report ID: S7F711.02, California Department of Public Health

Reported Entity: SAN RAMON REGIONAL MEDICAL CTR

Issue:

Based on interview and record review, the facility failed to protect the confidential health information of two (Patient 1 and Patient 2) of two patients from unlawful and unauthorized release. A Clinical Review Summary containing confidential health information (CHI) regarding Patient 1 was faxed to the wrong insurance company. For Patient 2, a physician left CHI on voice mail using a telephone number that was incorrectly transcribed into the clinical record by hospital staff. These deficient practices increased the risk of identity theft and/or financial fraud.Findings:On 1/18/12 the Hospital Compliance Office (HCO) was interviewed. The HCO stated that two incidents, each involving a breach of confidentiality, occurred and that the facility had policies and procedures for protecting unauthorized release of CHI. In addition, employees are trained at the time of hire and at least annually to ensure that release of CHI is done in a lawful manner and with prior authorization.The HCO provided a facility policy and a facility procedures:The undated policy entitled, "Authorization Procedure" contained these statements:"1.0 Introduction"Tenet obtains the authorization of the patient... on the applicable Authorization Form whenever it desires to use or disclose [PHI] for a purpose other than providing Treatment, obtaining Payment, carrying out its Health Care Operations (TPO)..."4.1 General Procedure"Except as permitted by Privacy Policy 1.2.3...a patient's PHI may only be used and disclosed if the patient or the patient's Personal Representative completes and signs an Authorization Form."4.2.7 The Authorization must contain a signature of the patient or the patient's authorized Personal Representative and the date of the signature."The 6/13/06 policy entitled, "Information Handling Procedure" indicated the following:"II. Purpose. Provide a procedure for handling information assets containing confidential or proprietary information."III. Procedure."3. Information by Fax..."a) If the fax number has not been previously used, a cover sheet shall first be sent and acknowledged by the recipient. After this test is performed, the confidential and/or proprietary information may be sent."7. Information on the Phone."a) Confidential information shall not be discussed on speakerphone unless all participating parties first acknowledge that unauthorized individuals are not in close proximity."b) User shall speak in guarded terms and refrain from mentioning confidential details beyond those needed to communicate the information."The undated facility procedure entitled, "Do you know your Fax Facts?" contained the following directions:"5. Repeat the fax number back to ensure you wrote it down correctly."6. Check the number before you press send."Employee training materials provided by the Hospital Compliance Officer contained the following statements:Training entitled, "Information Privacy and Security" contained these statements:"Confidential Information refers to the most sensitive business information intended strictly for use within and between Tenet and authorized third parties... Some examples of Confidential Information are: Protected Health Information. (page 7)"Under HIPAA's privacy rule, it is illegal to release health information to inappropriate parties or to fail to adequately protect health information from release... Tenet is committed to protecting patient privacy and confidentiality." (page 14)Training entitled, "Tenet. 2009 CA Privacy Law Update. California's SB 541 & AB 211. California Medical Privacy Laws" contained these statements:"Senate Bill 541 - Requires us to prevent unlawful or unauthorized access to, or use or disclosure of, a patient's medical information. (page 4)"SB 541 - Hospital's Obligations - Prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information. (page 5)The HCO stated that the following incidents occurred:1. At 12:22 p.m. on 4/15/11 an employee misdirected a fax containing a Clinical Review Summary report for Patient 1. The facility policy was not followed and the fax was received by the wrong insurance company.The fax unlawfully disclosed the following CHI to an unauthorized recipient: patient name , address and zip code, telephone number, emergency contact person and telephone number, social security number, date of birth, dates of admission and discharge, a clinical description of the reason for admission, 15 medication orders, three treatment referrals, and narrative notes regarding the medical course in the facility.2. On 5/24/11 a facility physician left a voice mail message regarding Patient 2 when using the telephone number incorrectly transcribed into the clinical record by hospital staff. The message was received by a 13-year old private citizen whose parent notified the facility of the incident.The voice mail message unlawfully disclosed the following CHI to an unauthorized recipient: patient name, telephone number, and information regarding a planned and/or recommended procedure.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Related Reports:

The report containing this deficiency also includes information about 1 other violation. Note that these may be related to the same event: S7F711.01