CONTRA COSTA REGIONAL MEDICAL CENTER

Report ID: 3MGW11.01, California Department of Public Health

Reported Entity: CONTRA COSTA REGIONAL MEDICAL CENTER

Issue:

Based on interview and record review, the hospital failed to protect the confidential medical information of 41 patients (Patients 2, 3, 4, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, and 57) of 100 patients reviewed when:1. Patients' 2, 3 and 4 names, room numbers, account numbers and diets were found on a document found in the parking lot of the hospital. 2. Patients' 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, and 57) protected health information were printed out from an outpatient pharmacy printer, printing inter mixed with patient prescription educational information.These failures placed the patients at risks for loss of dignity and privacy, identity theft and misuse of personal information. . Findings:Review on 5/24/12 of facility policy "Safeguarding Protected Health Information", dated 4/14/2003 and revised 7/01/2010, showed that the policy instructed staff that the facility must have appropriate technical and physical safeguards to reasonably protect health information from intentional or unintentional unauthorized use or disclosure. The Policy instructed staff to safeguard Protected Health Information stored in paper format by ensuring that files and documents are stored in locked desks, rooms or storage containers and that each work place will ensure that files and documents awaiting disposal or destruction are in appropriately labeled containers and all reasonable measures are taken to minimize access. The policy instructed staff that Role Based Access will be created and defined for each work force member based on their need for the minimum necessary computerized information to perform their job. The policy also instructed that each computerized information system holding protected health information has a defined data " owner " who is the manager responsible for its contents and that each owner will review and approve all access requests based on roles. The policy further instructed staff that knowledge of a violation or potential violation of this policy must immediately be reported directly to either the Privacy Officer or the Security Officer.1. On 5/23/12, the PO (Privacy Officer) stated that on 2/1/12 a visitor to the hospital found a document titled " Patients on a Diet " on the ground in the parking lot. The PO stated that the document listed three patient ' s names, room numbers, account numbers and diet. The PO speculated that it had fallen off the meal delivery cart as moved from the cafeteria building to the hospital.Review on 5/23/12, of the document " Patients on a Diet " showed that it was dated 2/1/12and listed the name of Patient 2, Patient 3, and Patient 4 their room numbers, account numbers and their diet.2. On 5/24/12, Pharmacist 1stated that starting in October the printer in the Out Patient pharmacy would sporadically print unauthorized information intermixed with the patient education information she had asked it to print and that at first she just discarded the extra pages but when she noticed it was patient health information she became concerned and reported this error to her supervisor. Pharmacist 1stated this continued to happen so she asked the IT administrator to help and was instructed to e-mail copies of the Patient information to him so he could track down the error. She continued to report these printings to IT, Human Resources and her Supervisor, she was concerned that a potential for Breach of confidentiality existed in that the Protected health information could be accidentally included with a patient prescription.On 5/24/12, the Director of Pharmacy Services (DOP) stated that she had been notified of these potential breaches in October and asked IT to follow up and fix the problem.On 5/24/12, the IT Administrator stated that he had been informed in November by Pharmacist 1 what the printer was doing and had asked her to email him copies of the extraneous things the printer printed so that he could try to tract down where they were coming from. He had assigned an IT tech to research the problem and fix it.On5/24/12 Pharmicist1 and the IT Administrator agreed that the printer was still sporadically printing Patient Protected Health information intermixed with Patient prescription education materials. When asked if the printer was supposed to print any thing besides pharmacy information Pharmacist 1 and the IT Administrator both stated it was for Out Patient Pharmacy use only. When asked if the printer could be disconnected from the larger hospital system and only connected to the Out Patient Pharmacy computer the IT Administrator had no answer.Review on 5/24/12, of the documents Pharmacist 1 submitted as evidence of the printers malfunction, showed that Pharmacist 1 had emailed her supervisor in October with concerns about unauthorized printing and continued to send emails with concerns for potential confidentiality breaches thru 2/22/12. When investigated on 5/24/12,these unauthorized printings were still happening the issue with IT had not been resolved.

Outcome:

Deficiency cited by the California Department of Public Health: Medical Record Availability

Related Reports:

The report containing this deficiency also includes information about 3 other violations. Note that these may be related to the same event: 3MGW11.02, 3MGW11.03, 3MGW11.04

2 other violations reported on the same date. Note that other citations may be about the same event: DH9X11.01, DH9X11.02