CONTRA COSTA REGIONAL MEDICAL CENTER

Report ID: 14CM11, California Department of Public Health

Reported Entity: CONTRA COSTA REGIONAL MEDICAL CENTER

Issue:

Based on interview and record review, the hospital failed to protect the confidential medical information of seven patients (Patients 20, 22, 24, 26, 29, 30 and 31.) of 15 patients reviewed, as evidence by:1. Patient 23 received a first trimester screening form, after a clinic visit, pertaining to Patient 22 (CA00311741); 2. Patient 25 received an appointment reminder form, in the mail, pertaining to Patient 24 (CA00311741);3. Patient 26 ' s medical records were faxed to a private residence, instead of the eye center (CA00311741);4. Patient 30 ' s prescription was faxed to an insurance office, instead of the pharmacy (CA00311754);5. Patient 31 ' s Hospital Issued Notice of Non Coverage by Medicare was mailed to the wrong company (QIO Medicare company) (CA00311754);6. Patient 21 received Intake documents, during a hospital visit, pertaining to Patient 20 (CA00311757);7. Patient 29 ' s medical records were faxed to a private residence instead of a Skilled Nursing Facility (CA00311750);These failures caused patients loss of dignity and privacy, and placed them at risk for identity theft. Findings:Review on 6/19/12 of facility policy "Safeguarding Protected Health Information", dated 4/14/2003 and revised 7/1/2010, showed that the policy instructed staff that " Workforce members must take precautions to prevent the unauthorized access, use, or disclosure of health system identification card itself, any document embossed with this information, or any document with this information written on any part of it. " The policy further instructed staff that they " must be very careful to give the correct health system identification cards and paperwork to the proper patient. "Review on 6/19/12 of facility policy "Faxing, E-Mailing, or Mailing Protected Health Information", dated 4/14/2003 and revised 7/1/2010, showed that the policy instructed staff that disclosure of protected health information by fax only after the credibility of the requestor is established by verifying the telephone number of the requesting party and double check every fax number before hitting send. The policy further instructed staff that a cover sheet must be used and contain the sender ' s name, business address, phone and fax number and the following language must also be included: " Notice: the document being faxed is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged and confidential, and re-disclosure is prohibited. If you are not the intended recipient, or are the employee or agent responsible for delivering the message to the intended recipient, you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify the sender immediately by telephone and return the fax to us at the address above via the U.S.Postal Service. Thank You. "Review on 6/19/12 of facility policy "Release of Information", dated 6/2010 showed that the policy instructed staff that Identity and authority shall be verified prior to any disclosure of patient health information. The policy instructed staff to verify identity with photo ID card the identity of the person requesting the health information, review the database correspondence section and the Keane system comments for any special requests of the patient for releasing or restricting their protected health information.1. On 6/19/12, the PO (Privacy Officer) stated that on 3/28/12 staff gave Patient 23 a First Trimester Screening form embossed with Patient 22 ' s medical ID (Identification) card after a clinic appointment. The error was discovered on 4/18/12 when Patient 23 arrived to have the labs drawn. Review on 6/19/12, of the " Frist Trimester Screening " form dated 3/28/12 showed patient 22 ' s first and last name, birthdate, sex, phone number and medical record number, in the right lower corner of the page but had hand written information regarding Patient 23. Review on 6/19/12, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 22 showed an appointment on 3/28/12 at facility 646. Review on 6/19/12, of the " MPI Visit Selection " for Patient 23 showed an appointment on 3/28/12 at facility 646.2. On 6/19/12, the PO (Privacy Officer) stated that on 3/30/12; staff mailed Patient 24 ' s appointment reminder slip to Patient 25. The error was discovered on 4/17/12 when the Patient 25, who had received it called to say she knew nothing about an appointment at this clinic and realized it had someone else ' s name on it.. The PO also explained that the appointment reminder slip was not saved as evidence but that the patient information included in the appointment reminder slip was Patient 24 ' s name, medical record number, account number, Primary Care Physicians name, and information about future appointments for Patient 24.3. On 6/19/12, the PO (Privacy Officer) stated that on 4/18/12; staff faxed Patient 26 ' s medical record to a private residence instead of the eye care center. The error was discovered on 4/19/12 when the private resident, who had received the fax, called to report that the fax was misdirected to their home fax. The PO also explained that the medical record clerk at the clinic had dialed the wrong number and that the fax number for the eye care center was only one digit off from the private residence number.Review on 6/19/12 of the fax cover sheet showed that the medical records clerk intended to send the A-scan report of Patient 26 to the Eye clinic on 4/18/12, and that the A-scan included Patient 26 ' s name, date of birth, medical record number, and information related to the A-scan procedure (an ultrasound of the eye).4. On 6/19/12, the PO (Privacy Officer) stated that on 5/3/12; staff faxed Patient 30 ' s prescription to an insurance company office instead of the pharmacy. The error was discovered on 5/3/12 when staff at the insurance company, who had received the fax, called to report that the fax was misdirected to office fax. The PO also explained that the prescription included Patient 30 ' s name, address, date of birth, medical record number, phone number, primary care physicians name, and information about the medication.Review on 6/19/12 of the fax showed that staff intended to prescription of Patient 30 to the pharmacy on 5/3/12, and that fax included Patient 30 ' s name, address, date of birth, medical record number, phone number, primary care physicians name, and information related to the three medication prescriptions.5. On 6/19/12, the PO (Privacy Officer) stated that on 5/1/12; staff mailed Patient 31 ' s Hospital -Issued Notice of Non-coverage to a QIO company (private, mostly not-for-profit organizations, which are staffed by professionals, mostly doctors and other health care professionals, who are trained to review medical care and help beneficiaries with complaints about the quality of care and to implement improvements in the quality of care available throughout the spectrum of care) that no longer had the contract for QIO with the hospital. The error was discovered on 5/8/12 when staff at the QIO company, who had received the fax, called to report that the mailed to office. The PO also explained that the Notice of Non- coverage contained Patient 31 ' s name, medical record number, admission date, HIC number, attending physician ' s name, information about Patient 31 ' s condition and information related to Patient 31 ' s Medicare benefits.6. On 6/19/12, the PO (Privacy Officer) stated that on 12/5/11 Patient 20 and Patient 21 were both seen in the hospital Emergency Department and on 12/20/11 Patient 21 complained to the Office of Civil Rights (OCR) that he had received PHI(protected health information) related to Patient 20 from the intake physician. The error was discovered on 4/25/12 when the OCR sent a letter to the PO notifying him of the breach of confidentiality. The PO also explained that the PHI was a " Consent to Services " which included Patient 20 ' s name, date of birth, age, sex, medical record number, Patient Account Number, admit date, phone number, and primary care physician ' s name.Review on 6/19/12 of a copy of the PHI that was given to Patient 21 showed that the " Consent to Services " form was dated 12/5/11, and that it included Patient 20 ' s name, date of birth, age, sex, medical record number, Patient Account Number, admit date, phone number, and primary care physician ' s name..7. On 6/19/12, the PO (Privacy Officer) stated that on 4/20/12; (MSW) medical social worker faxed Patient 29 ' s " Medi-Cal eligibility response " to a private residence instead of a SNF (Skilled Nursing Facility). The error was discovered on 4/20/12 when the private resident, who had received the fax, called to report that the fax was misdirected to their home fax machine. The PO also explained that the " Medi-Cal eligibility response " included Patient 29 ' s name, date of birth, Subscriber ID number which is also the patient ' s Social Security Number, and information about the Medi-Cal eligibility.Review on 6/19/12 of the fax showed that the MSW intended to fax Patient 30 ' s " Medi-Cal eligibility response " to a SNF on 4/20/12, and that fax included 42 pages.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights