CONTRA COSTA REGIONAL MEDICAL CENTER

Report ID: WESK11.01, California Department of Public Health

Reported Entity: CONTRA COSTA REGIONAL MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of four patients' (Patient 2, Patient 4, Patient 6, and Patient 8 ) medical information when: 1) Patient 2's printed wristband was placed on Patient 1's wrist; 2) Patient 4's prescription was given to Patient 3; 3) Patient 6's printed wristband was placed on Patient 5's wrist; and 4) Patient 8's Home Health order was faxed to the wrong facility. These failures allowed the unlawful or unauthorized access to some of Patient 2's, Patient 4's, Patient 6's, and Patient 8's medical information. Findings: CA00364185The California Department of Public Health was notified on 7/31/13 that a, "Breach of Protected Health Information (PHI)", occurred on 7/28/13.During an interview on 8/14/13 at 10:15 a.m., Administrative Staff A stated that, on 7/28/13, she was notified through the Safety Events Reporting System (SERS) that Patient 1 was registered, on 7/28/13, and a wristband, with Patient 2's PHI, was placed on his wrist, by Licensed Staff B.Administrative Staff A also stated that the breach had been discovered, on 7/28/13, by Licensed Staff C who then reported it by the SERS. Patient 2's PHI included Patient 2's name, hospital record number, medical record number, gender, admission date, and type of admission.Administrative Staff A further stated that it was an error, in not following policy and procedure, when Licensed Staff B placed the wrong wristband on Patient 1's wrist, without double checking his identity by using two identifiers.CA00364190: The California Department of Public Health was notified on 7/31/13 that a, "Breach of Protected Health Information (PHI)", occurred on 7/28/13.During an interview on 8/14/13 at 10:30 a.m., Administrative Staff A stated that, she was notified by Licensed Staff E through the Safety Events Reporting System (SERS), on 7/29/13, that Patient 3 had notified Licensed Staff E that she had received a prescription for Patient 4 from Licensed Staff D. Administrative Staff A also stated that, Patient 4's PHI included her name, account number, date of birth, home address, phone number, medication name and care provider name.Administrative Staff A further stated that it was an error, in not following policy and procedure, when Licensed Staff D handed Patient 3 the prescription, for Patient 4, without double checking Patient 3's identity.CA00364193The California Department of Public Health was notified on 7/31/13 that a, "Breach of Protected Health Information (PHI)", occurred on 7/29/13.During an interview on 8/14/13 at 10:45 a.m., Administrative Staff A stated that, on 7/29/13, she was notified through the Safety Events Reporting System (SERS) that Patient 5 was registered, on 7/29/13, and a wristband, with Patient 6's PHI, was placed on her wrist, by Unlicensed Staff F.Administrative Staff A also stated that the error was discovered by the same Unlicensed Staff F who then reported it by the SERS. Patient 6's PHI included her name, hospital record number, medical record number, gender, admission date, and type of admission.Administrative Staff A further stated that it was an error, in not following policy and procedure, when Unlicensed Staff F placed the wrong wristband on Patient 5's wrist, without double checking her identity by using two identifiers.CA00364199The California Department of Public Health was notified on 7/31/13 that a, "Breach of Protected Health Information (PHI)", occurred on 7/25/13.During an interview on 8/14/13 at 11 a.m., Administrative Staff A stated that, on 7/31/13, she was notified by Administrative Staff G that Unlicensed Staff H had notified her that Patient 8's home health order had been faxed to the wrong home care office instead of Patient 7's orders..Patient 8's information included, name, address, medical record number, date of birth, diagnoses, physician name, and in-home supportive services needed. Administrative Staff A also stated that it it was an error, in not following policy and procedure, when Unlicensed Staff I faxed Patient 8's PHI to the wrong organization without double checking the fax number and organization to which it was supposed to be sent..A review of the facility Policy and Procedure for, "PATIENT IDENTIFICATION PROCESS", (9/11), reveals the following: "III POLICY Ambulatory Care staff at all facility health centers will will protect and accurately identify each patient that we serve. Staff must reliably identify the individual as the person for whom the service or treatment is intended, must match the service or treatment to that individual, and must secure their protected health information and medical record accuracy at all encounters...V PROCEDURE B. For patients presenting for services 18 years and over, Registration Clerk will: 1. Request to see a government issued photographic proof of identity...2. Compare the identification presented with the patient information in the registration system and the appointment documentation...F. Clinical and ancillary services staff will be responsible for verifying the patients' identity prior to rendering care, performing diagnostic studies, giving medications and treatments".A review of the facility Policy and Procedure for, "RELEASE OF INFORMATION", (9/10), reveals the following: "IV. PROCEDURE A. Sending PHI by Fax...3. A Fax Cover Sheet must be fully completed and used for every fax transmission...5. Carefully enter the fax number. After the fax number has been entered, check it against the fax number you have for the recipient before pressing send".

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

3 other violations reported on the same date. Note that other citations may be about the same event: 2MXY11.01, 9JFK11.01, ZU6711.01