COMMUNITY HOSPITAL OF SAN BERNARDINO

Report ID: PLHN11, California Department of Public Health

Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO

Issue:

Based on interview, and record review, the facility failed to ensure that a release of information associate representative (ROI 1), verified the names on all documents that were mailed to an Independent Practice Association (IPA) group for Patient B. This failure, to verify the names on all documents mailed to the IPA group for Patient B, resulted in the unauthroized release of Patient A's protected health information (PHI).Findings:On August 6, 2014 at 2:30 PM, a phone interview was conducted with the Facility Privacy Officer (FPO) regarding an entity reported incident of a breach of PHI for Patient A. The FPO stated, "Agency 1 was a contracted copy service company used by Facility 1, to fulfill authorized requests for the disclosure of patient health information on behalf of Facility 1. On May 15, 2013, a contracted employee (ROI 1), who worked in the medical records department at Facility 1, had received a request for medical records from an IPA for Patient B. ROI 1 inadvertently attached the medical records for Patient A to the request which was then processed and mailed to the IPA on May 29, 2013. On June 5, 2013, the IPA group notified Facility 1 that they had received the medical records for Patient A in error. The FPO at the time spoke with an employee at the IPA and the documents were shredded."On August 6, 2014 a review of an email titled "Documentation of Unauthorized Disclosure" from Agency 1 to Facility 1, it indicated: "The representative (ROI 1) did not follow Agency 2's policy of conducting a final quality check of the terms of the patient authorization against the records being processed, thereby releasing Patient A's medical records to the IPA."On August 6, 2014 at 2:51 PM, a phone interview was conducted with the Manager for Best Practices and Policy (MBP) at Agency 2. When asked, how requests for the release of medical documents or PHI are processed, the MBP stated, "When a request for medical records comes in, the ROI representative scans the request into the system. The ROI representative then locates the patient in the electronic health record (EHR) and identifies the requested documents to be released and attaches them to the request. The documents are then sent to corporate where they are processed and mailed. The ROI representative is supposed to look at those documents before sending them for processing to corporate, to make sure they have the correct documents for the correct patient. This is their quality check."The MPB further stated, "If the ROI representative does not completely close out a patient's EHR that she just processed, and opens a new patient's EHR, it will pull the documents from the first encounter. I believe that is what happened in this case. Had ROI 1 closed out the first patient record and double checked the documents she was sending for Patient B to corporate for processing, there would have not been a breach of Patient A's PHI."The information breached for Patient A included Patient A's name, age, date of birth, account number, medical record number, location, blood test results, urinalysis, renal ultrasound (Kidney ultrasound), stool for OB (feces for blood), chest x-ray, PT, PTT (clotting time tests), BNP (blood test to check for heart failure), Troponin (blood test to check for heart muscle damage), emergency department visit history, and EKG (records electrical activity of the heart).A review of Agency 2's policy titled, "Unauthorized Disclosure of Protected Health Information", dated July 2011, indicated:"Policies and procedures include the verification of authorizations and request documents, logging of requests, the disclosure of minimally necessary health information, and proper treatment of PHI."A review of Facility 1's policy and procedure titled, "Confidentiality and Data Classification", dated January 17, 2012, indicated: "Policy: It is the policy of (Name of Facility 1) to provide appropriate access to its information based on a need to know basis while preserving its confidentiality and integrity. Measures to protect this information shall be established in accordance with the level of sensitivity of the information and appropriate risk management policies and practices."The failure to protect Patient A's PHI, had the potential for the information to be used in identity theft, or in a manner not authorized by the patient.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights