Mercy Medical Center

Report ID: BP8I11, California Department of Public Health

Reported Entity: MERCY MEDICAL CENTER

Issue:

Based on staff interview, clinical record and administrative document review, the facility failed to ensure confidential treatment of Patient 2 and 4's protected health information (PHI) when:1. Patient 1 was given Patient 2's care plan.2. Patient 3 was given the lab order form for Patient 4.This failure resulted in unauthorized access of Patient 2 and 4's PHI and the potential for abuse of this information.Findings:1. On 4/18/14 at 10:40 a.m., during a telephone interview, the Privacy Officer (PO) stated on 4/1/14 an unidentified employee of the family care clinic gave Patient 2's Patient Care Plan to Patient 1.Patient 2's PHI breached included her name, date of service, diagnosis, medications, test results, and discharge instructions.2. On 4/18/14 at 10:40 a.m., during an interview, the PO stated that on 4/3/14 an unidentified employee of the family care clinic gave the lab order slip for Patient 4 to Patient 3. The PO stated that the clinic employees should be double checking all paper work before giving it to patients, but this was not done.Patient 4's PHI breached included his name, address, telephone number, date of birth, social security number, medical record number, physician name, insurance company and account number, and lab test to be performed.The facility's policy and procedure titled, "PROTECTED HEALTH INFORMATION AND SENSITIVE INFORMATION, SAFEGUARDING OF", implemented 12/09, indicated, "It is the policy of [Hospital] to comply with state and federal regulations regarding the safeguarding of physical and electronic form of Protected Health Information (PHI). Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights