CONTRA COSTA REGIONAL MEDICAL CENTER

Report ID: 53Y511, California Department of Public Health

Reported Entity: CONTRA COSTA REGIONAL MEDICAL CENTER

Issue:

Based on observation, interview, and document review, the facility failed to prevent unauthorized access to two patient's protected health information.Findings:Case 1: In interview on 4/22/13 at 11:45 am, Administrative Staff A stated that at the hospital's Pittsburg Medical Center on 1/2/13, Certified Medical Assistant (CMA) B inadvertently handed Patient 2 Patient 1's fecal occult blood packet when she was leaving the clinic. Staff A stated that CMA B failed to follow the clinic's required two identifier protocol. Patient 2 notified Care Coordinator C of the error, on 1/10/13, when she noticed Patient 1's name on the packet. Care Coordinator C entered the information in the clinic's safety event reporting system (SERS) on 1/10/13. Staff A stated that Patient 2 was asked to return Patient 1's labeled packet, but she stated that she could not find it. Staff A stated that she received the SERS report and notified the Department and Patient 1 of the error on 1/15/13.In interview on 4/22/13 at 1:30 pm, Clinical Services Manager (CSM) D stated that CMA B had admitted that she had not followed the two identifier policy, but she did not recall the specific incident, noting that it had been very busy in the clinic on 1/2/13. CSM D supplied a fecal occult blood packet for inspection. The patient label consisted of spaces for name, sex, date of birth, medical record number, and visit account number.Case 2: In interview on 4/22/13 at 12:15 pm, Staff A stated that an anonymous employee of the Contra Costa Health Plan (a health maintenance organization not on the hospital's license) reported on 1/15/13, that Patient 3's mother, an employee at the hospital's West County Medical Center, had been accessing Patient 3's medical record. Staff A stated that she generated a report through the hospital's, "ccLink," which logs each registered user's access to the electronic medical record (EMR) and the time, date, and part of the record accessed. Staff A stated that the personnel department confronted the employee with the information, and she resigned.Review of the ccLink report on 4/22/13, demonstrated that Patient 3's mother accessed Patient 3's EMR on 12/17/12 from 3:46 to 4:05 pm, 63 times, on 12/20/12 from 10:30 am to 10:49 am, 28 times, on 12/26/1 at 9:14 am, four times, and on 1/9/13 from 10:23 to 10:29 am, six times. It appeared that all parts of the record had been accessed.In interview on 4/23/13 at 9:45 am, Clinical Services Manager E stated that all new employees were trained in health information protection and must get re-training yearly. She also stated that each time a breach was discovered refresher re-training meetings we:re held.Review of the hospital's policies: Patient/Client Confidentiality and Patient Rights and Responsibilities, on 4/23/13, demonstrated that access to a patient's medical information was limited to those directly involved in the patient's treatment or in monitoring the quality of the treatment, unless the patient had given written permission. Unauthorized access was defined as inappropriate review or viewing of patient information, without a direct need for diagnosis, treatment, or other lawful use, and violation would result in disciplinary action. Under no circumstances was it acceptable for employees to access a family member's record.Document review on 4/23/13, confirmed that Patient 1, Patient 3, and the Department were informed of the breaches, by letter, on 1/15/13.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280