ST BERNARDINE MEDICAL CENTER

Report ID: 5M9J11, California Department of Public Health

Reported Entity: ST BERNARDINE MEDICAL CENTER

Issue:

Based on interview and record review, the hospital failed to ensure that their policies were followed to protect the confidentiality of Patient A's protected health information (PHI). The hospital failed to ensure that Case Manager 1 (CM 1) faxed confidential patient information to the correct insurance company. This failure resulted in a breach of PHI for Patient A.Findings:A review of the hospital's investigation into the breach of records was conducted on November 13, 2012. The hospital's investigation revealed that, on October 10, 2012, CM 1 faxed PHI for Patient A to Health Insurance Company (HIC) A, instead of the intended HIC B. CM 1 realized her error the same day and reported to the hospital's Privacy Officer (PO). Further review of the investigation revealed that the breached PHI included Patient A's name, age, date of birth, gender, home address, description of the patient's medical condition, and diagnoses and treatment. Patient A's social security number was not included. A review of the hospital policy titled "Safeguarding PHI and Sensitive Information", dated January 5, 2009, revealed "It is the policy of (name of health care company) to provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity."An interview was conducted with the hospital's PO on 11/13/12 at 3:45 PM. She stated that CM 1 had made an error in faxing the information. She stated that there was PHI included in the fax error. The PO confirmed that CM 1 did not follow hospital policy to protect Patient A's PHI.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights