Scripps Mercy Hospital

Report ID: VP8N11, California Department of Public Health

Reported Entity: SCRIPPS MERCY HOSPITAL

Issue:

Based on interview, record and document review the hospital failed to ensure that Patient 1's personal and protected health information (PHI) was kept confidential when a Rehabilitation Service Access Rep (RSAR) accessed Patient 1's electronic medical record. As a result of this failure, RSAR had access to Patient 1's personal information.Findings:An investigation of an entity reported privacy breach was initiated on 10/6/14. It was reported to the California Department of Public Health that on 9/22/14 an employee of the hospital had accessed Patient 1's medical record without a business need to know or authorization from Patient 1.On 10/6/14 at 11:10 A.M., an interview was conducted with the Rehabilitation Manager (RM). The RM stated that she went to see RSAR and saw the computer screen with Patient 1's name. The RM asked RSAR "why are you in this file?" RSAR then clicked out and stated "yeah I shouldn't have been in there." The RM stated she had asked RSAR again why she had accessed Patient 1's medical record and that RSAR told her that Patient 1 was her friend and that Patient 1 had told her about a diagnosis she had received.On 10/6/14 at 12:10 P.M., an interview was conducted with the Human Resource Workforce Advisor (HRWA). The HRWA stated that RSAR had acknowledged that Patient 1 had not asked her to access the medical record but that RSAR had taken it upon herself to look up the results of the diagnosis because she was concerned for her friend. The HRWA stated that RSAR had acknowledged to her, that it was a violation and that it was a "stupid mistake." On 6/19/15 at 11:50 A.M., an interview with RSAR was conducted. RSAR stated that her friend (Patient 1) had told her about her diagnosis and that she clicked on Patient 1's account in the electronic medical record (EMR)but didn't view anything. RSAR stated that her manager (RM) came so she clicked out of the EMR. RSAR stated that she had no business purpose to be in Patient 1's medical record and the decision was based on her on emotion. RSAR acknowledged that Patient 1 had not given her permission to access the EMR.A review of the hospital's policy and procedure, entitled "Health Information, Access, Use and Disclosure", dated 9/13, indicated "II. Policy E. Minimum Necessary: Health information disclosure under all circumstances should be limited to the amount reasonably necessary to achieve the purpose of the disclosure. Personnel shall exercise professional judgement in determining the minimum amount of information necessary to achieve the purpose of access, use of disclosure of the information." The hospital policy and procedure titled "Confidentiality of Information (Patient, Financial, Employee, and Other Sensitive and Proprietary Information)," dated 07/14, indicated " II. Policy... B. Confidentiality and Non-disclosure Agreement-access to (hospital's name) computer network... is contingent upon execution of a Confidentiality and Non-Disclosure Agreement. All employees must review and sign..." The document titled "Confidentiality and Non-Disclosure Agreement," dated 9/3/14, signed by the RSAR indicated "... I Understand and Agree To The Following:... I will not misuse any Confidential information, and will only access such information as is necessary for me to do my job... I will not access, view...any PHI (personal health information)...that is not required for performance of my work for (hospital's name)..." The RSAR failure to follow the policy and procedure with regards to the accessing of Patient 1's medical record without a direct need to do her job, resulted in the unauthorized access of Patient 1's protected health record information. This was also in violation of Patient 1's right to confidentiality of all communications and record pertaining to health care received at the hospital.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights