Mercy Medical Center

Report ID: T3M011, California Department of Public Health

Reported Entity: MERCY MEDICAL CENTER

Issue:

Based on staff interview, clinical, and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential for two of two Patients (Patient 1 and 2) when staff faxed Patient 1 and 2's PHI to the wrong number, in error, instead of the intended Physicians' office.This failure resulted in unauthorized access to Patient 1 and 2's PHI and the potential for abuse of that information.Findings:Refer to CA00360409.On 6/11/14 at 11:15 a.m., during an interview, the HIPAA (Health Insurance Portability and Accountability Act) Coordinator stated on 5/7/14 they were notified by an employee from City Hall that they had received, in error, Radiology reports on Patient 1 and 2. The HIPAA Coordinator stated the Radiology staff failed to validate the correct number for the Physicians' office prior to sending the fax.Patient 1 and 2's PHI breached included name, date of birth, service account number, medical record number, service location of physician and examination report. The hospital policy and procedure titled "Safeguarding of Protected Health Information and Sensitive Information" dated 12/09, indicated, "....Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity. ...4. When faxing PHI or Sensitive Information make sure to confirm the fax number is approved to receive such information."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights