HEMET VALLEY MEDICAL CENTER

Report ID: J2ZC11, California Department of Public Health

Reported Entity: HEMET VALLEY MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to prevent the unauthorized access and/or disclosure of Patient A's private/medical information. This failure had the potential to result in the misuse of Patient A's private/medical information.Findings:During an interview with the Privacy Officer (PO), on February 11, 2014, at 10 a.m., the PO stated the facility was informed on January 7, 2014, documents for Patient A were faxed to an unintended recipient. The PO stated it was the facility's practice to verify what documents were to be faxed and where the fax was directed to, prior to faxing. The PO stated this was not done for Patient A's documents.The documents faxed to the unintended recipient were reviewed. The documents contained the following information:Two documents titled "Emergency Room Reports" containing Patient A's name, date of birth, medical record number, hospital account number, past and present medical histories(including pregnancy history), social history (whether or not the patient smokes or drinks), family history, physical examination information, laboratory and test results, and diagnosis.The facility policy titled "HIPAA POLICY...Breach of PHI (Public Health Information)- Notification) created date November 20, 2010, indicated "..."Individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as patient name..."The policy further indicated, "... "Unlawful or Unauthorized Access" means the inappropriate access, review, or viewing of patient medical information without a direct need for medical diagnosis, treatment, or other lawful use..."

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280