DOCTORS MEDICAL CENTER

Report ID: 5TYG11, California Department of Public Health

Reported Entity: DOCTORS MEDICAL CENTER

Issue:

Based on staff interview and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's medical information was faxed to an unauthorized recipient. (refer to CA00346366)2. Patient 2's home medication was given to an unauthorized individual. (refer to CA00339273)3. Patient 3's medical record was accessed by an unauthorized individual (refer to CA00333388)These failures resulted in not protecting the PHI for Patient's 1, 2 and 3 and had the potential for unauthorized use. Findings: Refer to CA003463661. On 10/14/13 at 12 p.m., during an interview, the Hospital Compliance Officer (HCO) stated a Unit Clerk misdialed a fax number and Patient 1's PHI was sent to an unauthorized recipient. Review of the medical record indicated the following information was faxed: Patient 1's face sheet with name, date of birth, medical record number and insurance information. Patient 1 was an infant and the letter of notification was mailed to the patient's mother notifying her of the breach.The (Hospital) Policy and Procedure titled, Transmission of Medical Records By Facsimile dated 5/16/12, states, 3. Sender Procedure: a."When faxing documents...1. Verify by telephone the availability of the authorized receiver before beginning transmission...i. Verify from either the communication/Transmission report or...the fax was sent to the correct phone number." Refer to CA00339273 2. On 10/14/13 at 12:05 p.m., during an interview, the HCO stated Patient 2's PHI was breached when his home medications were given to an unauthorized recipient on 1/3/13. Review of the medical record indicated Patient 2's home medications were placed in another patient's belongings bag. The medications were given to the wrong patient at time of discharge. Patient 2's PHI included name, pharmacy, doctor, medication dosage, and usage. A letter was sent to Patient 2 regarding the breach on 1/10/13. The (Hospital) Policy and Procedure titled, Patient's Personal Property dated 12/22/10, indicated; "Purpose: To delineate the procedure to ensure the safety of personal valuables...Procedure I. Personal belongings: A. At the time of admission,...items remaining with the patient are to be documented in detail in the electronic Nursing Admission Assessment...D. When patients are admitted to Critical Care areas: clothing and valuables are to be bagged and sent home with family...if available."Refer to CA003333883. On 10/15/13 at 2:50 p.m., during an interview, the HCO stated Patient 3's PHI was breached when medical records were accessed by an unauthorized hospital staff employee on four occasions between 8/24/12 and 10/2/12.Review of the medical records indicated Patient 3's lab values were accessed by a hospital staff member without prior authorization. The breach was discovered during a routine audit of access to electronic health information performed on 11/14/12. A notification letter regarding the breach was sent to Patient 3 on 11/16/12. The (Hospital) Policy and Procedure titled, Record Processing and Information Handling dated 9/16/13, states; III. Standard: "A. Record Processing; Protected health information (PHI)...whether electronic or paper format, shall be protected from unauthorized disclosure...dissemination...It is expected all Users will maintain the confidentiality of this information."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights