ST JUDE MEDICAL CENTER

Report ID: TOXG11.01, California Department of Public Health

Reported Entity: ST JUDE MEDICAL CENTER

Issue:

Based on interview and hospital document review, the hospital failed to prevent the disclosure of 15 patients' protected health information (PHI) to unauthorized individuals (Patients C, D, E, F, G, K, L, M, N, O, P, Aa, Bb, Jj, and Kk).Findings: 1. Hospital documentation dated 8/26/10, showed a breach of Patient D's PHI had occurred.A nursing manager informed the Privacy Officer a patient alerted a nurse she had received Patient D's registration and guarantor (insurance company/payee) information on 8/26/10. The hospital's investigation showed two patients with similar names were registered at the same time and the other patient received Patient D's PHI in error.2. The Privacy Officer was made aware a breach of Patient C's PHI occurred on 7/23/10.A patient presenting to the outpatient area for an appointment on 8/26/10, returned a packet containing Patient C's PHI mailed by the hospital's outpatient area on 7/23/10. The packet disclosed Patient C's name, address and the date of birth on a pain questionnaire. 3. The hospital's Privacy Officer was notified a breach of Patient E's PHI occurred on 9/24/10.The hospital's investigation showed during a pre-surgery phone call on 9/24/10, a scheduler called the wrong patient. The hospital staff disclosed Patient E's name, an upcoming surgery and demographics to this patient. The investigation showed there were two patients with the same name. In addition, the physician's office gave the scheduler the wrong patient information.4. Review of hospital documents dated 10/21/10, showed the Department was notified of the disclosure of Patient F's PHI.Review of the hospital's investigation showed an employee in the Health Information Services area was notified on 10/20/10, a medical record belonging to Patient F was disclosed to an unauthorized person. The PHI belonging to Patient F disclosed an Emergency Department report, an imaging and a laboratory report, Patient E's name, account and medical record numbers and the ordering physician.5. Hospital documents show the hospital was made aware on 11/5/10, a breach of Patient G's PHI occurred. The hospital's investigation showed Patient G registered in the Emergency Department on 7/17/10. The insurance company for the patient's previous visit was billed for the 7/17/10 visit. Due to a denial of payment by the insurance company, a courtesy call was made and a letter was sent to the insurance company on 10/25/10. The insurance company called the hospital on 11/5/10, and informed the hospital they were not the correct insurance company to bill for payment. Patient G's PHI in the form of hospital registration information which included name, date of birth, social security number and demographics was sent to the wrong insurance company.6. On 1/3/11, hospital documents show the Privacy Officer was notified of the following three breaches of PHI.a. During the registration process Patient K, the correct individual, was selected. However, when entering the policy holder's address, the information regarding the patient's son was entered in the father's account. Patient K and his son have the same name. Patient K's explanation of benefits was incorrectly mailed to his son.Patient K's PHI was disclosed in error to an unauthorized individual(s).b. While in the Emergency Department, Patient L's PHI was incorrectly faxed to another hospital in error. Review of the investigation showed Patient L's name, address, date of birth, physician, diagnoses and treatment given were documented on an emergency medical transport form for transfer. A staff copied the form on both a copier and fax machine. The patient's PHI was inadvertently faxed to another hospital along with another patient's documents.c. Health Information Services was notified they had released the laboratory report of Patient M to another patient. The PHI of Patient M was disclosed to another patient in error. Patient M's PHI disclosed name, account and medical record number, laboratory results and physician's name.7. Review of hospital documents showed on 2/4/11, the Department was notified a breach of Patient N's PHI occurred. The Emergency Department was notified by a patient's daughter on 2/1/11, her mother received discharge instructions with Patient N's name. The hospital's investigation showed while attempting to print the discharge instructions for the other patient, Patient N's name was printed on the discharge instructions. 8. Review of hospital documents showed the hospital was made aware of a breach of PHI involving Patient O on 2/9/11.Nursing staff in the Neonatal Intensive Care unit were called on 2/9/11, by a patient's mother who received discharge instructions belonging to Patient O. The discharge instructions disclosed PHI belonging to Patient O which included the name, medical record number, date of birth, physician, and instructions for care.9. Review of hospital documents showed the hospital was made aware of a breach of PHI involving Patient P on 2/11/11.A patient requested a copy of their cardiac report from the Cardiology Department on 2/11/11. The patient reviewed the report at that time and noted it did not belong to her, but to Patient P. The report was returned to the Cardiology Department. The PHI disclosed included Patient P's name, medical record number, date of birth, physician and the results of the test.10. Hospital documents showed on 6/3/11, the Privacy Officer was made aware a breach of Patient Aa's PHI occurred.A patient discharged from the Emergency Department noticed after she had left the hospital Patient Aa's personal information was on the discharge instructions she received. Patient Aa's name, medical record number, account number were disclosed to an unintended person. 11. The Department was made aware of a breach of PHI on 6/20/11 that was discovered on 6/15/11, involving Patient Bb.A hospital staff crossed the street, just outside the hospital, on 6/15/11. The staff person noticed a patient label, with Patient Bb's name on it, affixed to the traffic signal pole. The staff person removed it and took it back to the hospital. The hospital's investigation showed Patient Bb was homeless and did not have a mailing address and no one answered the phone number obtained during the patient's hospitalization. It was found upon discharge that Patient Bb had two personal belongings bags with a patient label affixed to each. The hospital was unable to determine how Patient Bb's name label ended up on the street light pole. 12. On 8/25/11, the Department was made aware of two breaches of PHI involving Patient's Jj and Kk.a. Patient Financial services received a call from a person on 8/23/11, stating her insurance was billed for services. The person stated these services were not provided as she had not been a patient in the hospital since 2007.An investigation by Health Information Services found the caller and Patient Jj, who received the hospital's services, had the same name. Information was entered into the account of the wrong patient upon Patient Jj's admission on 8/16/11. Patient Jj's PHI disclosed registration to the hospital and the guarantor information, which included the patient's name, address and other private personal information.b. Patient Financial services received a call from a person on 8/25/11, stating she received a letter of explanation of benefits for services provided on 8/16/11. However, she was not the person who received the services. The hospital investigation showed the information had been entered into the wrong account as both the caller and Patient Kk had the same first and last name. Patient Kk's PHI disclosed registration to the hospital and the guarantorinformation, which included the patient's name, address and other private personal information.During a telephone interview, on 4/6/12 at 0930 hours, the hospital's Manager of Regulatory Compliance confirmed the above breaches of PHI.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

4 other violations reported on the same date. Note that other citations may be about the same event: L4GG11.01, L4GG11.02, L4GG11.03, SGP911.01