COMMUNITY REGIONAL MEDICAL CENTER

Report ID: JJ2G11, California Department of Public Health

Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER

Issue:

Based on staff interview, clinical record and administrative document review, the facility failed to keep Protected Health Information (PHI) confidential when:1. Patients' 1, 2, 3, 4, and 5 treatment authorization request forms were mailed to a Behavioral Health Services office in another county in error. (refer to CA00348609)2. Patient 6's financial evaluation was mailed to an unauthorized recipient. (refer to CA00352183) 3. Patient 7's PHI was accessed by an unauthorized individual (refer to CA0052185)4. Patient 8's bill was then mailed to the wrong address. (refer to CA00352190)These failures resulted in the breach of patients PHI and the potential for unauthorized use.Findings: 1. Refer to CA00348609On 5/30/14 at 10:40 a.m., during a telephone interview, the Privacy Intake Specialist (PIS) stated on 3/18/13 Patient 1, 2, 3, 4, and 5's PHI was mailed to an unauthorized recipient in error. The unauthorized recipient was another county's Behavioral Health Services (BHS) office. On 3/20/13, the unauthorized recipient's employee (BHS) 1 notified the Senior Vice President Compliance Officer (SVPCO) of the breach. BHS 1 informed the SVPCO the original breached information was mailed to the intended BHS recipient. BHS 1 faxed copies of Patient 1, 2, 3, 4 and 5's Treatment Authorization Requests (TARs) for Mental Health Stay in the Hospital to the PIS, then shredded them. Review of the medical records indicated the following PHI was mailed to the unauthorized recipient:For Patient 1: Name, date to birth, age, social security number, sex, date of service, and physician's name.For Patient 2: Name, date to birth, age, medical record number, sex, date of service, physician's name, and provider information.For Patient 3: Name, date to birth, age, medical record number, sex, date of service, physician's name, and provider information.For Patient 4: Name, date to birth, age, medical record number, sex, date of service, physician's name, and provider information.For Patient 5: Name, date to birth, age, medical record number, sex, date of service, physician's name, and provider information.The hospital's policy and procedure titled, "HIPAA general Rules for the Use and Disclosure of PHI," dated 4/18/12, indicated, "Guidelines...Protected Health Information includes any information received, created or maintained by ... in which the patient is ... identified, regardless to whether the information is in oral, paper or electronic form ... D. Using and Disclosing PHI ... may only use or disclose PHI if: a. the patient has given a valid authorization; ... workforce members should never disclose information about a patient unless they have explicit authorization to do so ... workforce members should exercise care in how the communicate patient information ... to reduce the likelihood that it is exposed to unauthorized persons ..." 2. Refer to CA00352183On 4/18/14 at 3:59 p.m., during a telephone interview, the Privacy Intake Specialist (PIS) stated Patient 6's financial evaluation had been mailed to an unauthorized recipient. The PIS stated on 4/18/13, Patient 9 called the hospital's billing office and notified them that he had received another patient's (Patient 6's) financial evaluation in the mail, along with his own. A courier went to Patient 9's home and retrieved the letter. The breached PHI for Patient 6 included: Name, address, date of birth, driver's licence number, social security number, employer, job title, gross pay, marital status, and banking institutions and type of accounts. The hospital's Policy and Procedure titled, "HIPAA general Rules for the Use and Disclosure of PHI," dated 4/18/12, indicated, "Guidelines: ... Protected Health Information includes any information received, created or maintained by ... in which the patient is ... identified, regardless to whether the information is in oral, paper or electronic form ... D. Using and Disclosing PHI ... may only use or disclose PHI if: a. the patient has given a valid authorization; ... workforce members should never disclose information about a patient unless they have explicit authorization to do so ... workforce members should exercise care in how the communicate patient information ... to reduce the likelihood that it is exposed to unauthorized persons ..." 3. Refer to CA0052185 On 4/18/13, at 3:58 p.m., during a telephone interview, the Privacy Intake Specialist (PIS) stated Patient 10's wife, (a member of the hospital's corporate information staff) called the hospital's Privacy Office (PO) complaining that an employee at a physician's office had inappropriately accessed her husband's (Patient 7) PHI. The physician's office employee, Medical Assistant (MA) 1 gained access to Patient 7's PHI through the hospital's electronic medical record system (EPIC). The PIS stated MA 1 admitted she had accessed Patient 7's PHI through EPIC. The PIS stated the PO did an access audit of Patient 7's electronic record. The PO was able validate Patient 7's PHI had been inappropriately accessed on two separate occasions during the month of 3/2012. The PO informed the physician office staff employer that a violation had occurred. The breached PHI for Patient 7 included nine unauthorized accesses on 3/23/12 and 11 unauthorized accesses on 3/29/12. These encounters included a variety of patient reports, chart reviews, microbiology, and medication information. The hospital's policy and procedure titled, "Confidentiality/Breach of Information," dated 8/17/10, indicated, "Protected health information is only to be accessed in relationship to an employee's or the health care provider's assigned job duties, on a business need to know basis. Accessing any patient information including but not limited to your own, your family members, or any other individual(s) without a business need to know, without authorization, for unauthorized purposes, or not within your "scope of assigned duties" is a breach of confidentiality."4. Refer to CA00352190On 4/18/14 at 4:06 p.m., during a telephone interview, the Privacy Intake Specialist (PIS) stated on 4/18/13, Patient Financial Services Department was informed Patient 9 had received a billing statement in Patient 8 name. A hospital courier retrieved the statement from Patient 9 and returned it to the privacy office on 4/11/13. The PIS stated an internal investigation revealed a Patient Representative (PR) 1 inappropriately linked and integrated Patient 8's account information into Patient 9's account. The two patients had similar names. A billing statement for Patient 8 was sent to Patient 9's address.Patient 8's breached PHI included: Name, date of service and outstanding balance. The hospital's policy and procedure titled, "HIPAA general Rules for the Use and Disclosure of PHI," dated 4/18/12, indicated, "Guidelines: ... Protected Health Information includes any information received, created or maintained by ... in which the patient is ... identified, regardless to whether the information is in oral, paper or electronic form ... D. Using and Disclosing PHI ... may only use or disclose PHI if: a. the patient has given a valid authorization; ... workforce members should never disclose information about a patient unless they have explicit authorization to do so ... workforce members should exercise care in how the communicate patient information...to reduce the likelihood that it is exposed to unauthorized persons ..."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights