COMMUNITY REGIONAL MEDICAL CENTER

Report ID: HN1F11, California Department of Public Health

Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER

Issue:

Based on staff interview, facility and administrative document review the facility failed to keep Protected Health Information (PHI) confidential when Patient 1's utilization review report was mistakenly faxed to the wrong payer. This failure placed Patient 1's PHI at a potential risk for unauthorized use.Findings:On 7/16/12 at 2:20 a.m., Staff 1 (Privacy Officer) stated on 6/14/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 2 (Registered Nurse) mistakenly faxed Patient 1's utilization review report to the wrong payer. Staff 1 stated it was staff 2's responsibility to ensure PHI was faxed to the correct destination.On 7/16/12 at 2:35 p.m., Staff 1 stated the utilization review report contained Patient 1's name, date of birth, date of service, account number, medical record number, attending physician, diagnosis, and confidential clinical information. On 7/16/12 at 4:40 p.m. the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form."The facility policy and procedure number 12108, titled " Facsimile Transmission of Health Information, " dated 7/26/10, contained the following documentation: " Staff members faxing patient information shall take reasonable steps to ensure that the fax transmission is sent to the appropriate destination. "

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights