CLOVIS COMMUNITY MEDICAL CENTER

Report ID: OOSZ11, California Department of Public Health

Reported Entity: CLOVIS COMMUNITY MEDICAL CENTER

Issue:

Based on staff interview, facility and administrative document review the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's laboratory request form was mistakenly given to Patient 2.2. Patient 3's facesheet was mistakenly given to Patient 4. 3. Patient 5's facesheet was mistakenly given to Patient 6. 4. Patient 7's financial statement was mistakenly given to a private citizen. 5. Patient 8's financial evaluation form was mistakenly handed to Patient 9.These failure placed Patient 1, Patient 3, Patient 5, Patient 7 and Patient 8's PHI at a potential risk for unauthorized use.Findings:Refer to CA003096051. On 6/19/12 at 8:45 a.m., Staff 1 (Privacy Officer) stated on 5/2/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 2 (Unit Clerk) mistakenly gave Patient 1's laboratory request form to Patient 2. Staff 1 stated it was Staff 2's responsibility to check each patients' identification band and to verify patients' name and date of birth to ensure the right patient received the right documents.On 6/26/12 at 3:20 p.m., the laboratory request form was reviewed and contained Patient 1's name, date of birth, date of service, medical record number, account number, attending physician, diagnosis and surgical procedure. On 6/26/12 at 4:15 p.m., the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form. ...Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes...The facility may only use or disclose PHI if the patient has given a valid authorization."Refer to CA003098752. On 6/19/12 at 8:45 a.m., Staff 1 stated on 5/3/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 3 (Patient Representative) mistakenly gave Patient 3's facesheet to Patient 4. Staff 1 stated it was Staff 3's responsibility to check each patients' identification band and to verify patients' name and date of birth to ensure the right patient received the right documents. On 6/26/12 at 3:20 p.m., the facesheet was reviewed and contained Patient 3's name, date of birth, date of service, medical record number, account number, social security number, address, phone number, guarantor information, attending physician and diagnosis. On 6/26/12 at 4:15 p.m., the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form. ...Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes...The facility may only use or disclose PHI if the patient has given a valid authorization."Refer to CA003123873. On 6/19/12 at 8:45 a.m., Staff 1 stated on 5/23/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 4 (Patient Representative) mistakenly gave Patient 5's facesheet to Patient 6. Staff 1 stated it was Staff 4's responsibility to check each patients' identification band and to verify patients' name and date of birth to ensure the right patient received the right documents. On 6/26/12 at 3:20 p.m., the facesheet was reviewed and contained Patient 5's name, race, date of birth, date of service, medical record number, account number, guarantor, social security number, address, phone number, attending physician and diagnosis.On 6/26/12 at 4:15 p.m., the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form. ...Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes...The facility may only use or disclose PHI if the patient has given a valid authorization."Refer to CA003135074. On 6/19/12 at 8:45 a.m., Staff 1 stated on 6/4/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 3 mistakenly gave Patient 7's (biological mother) financial statement to a private citizen (adoptive mother). Staff 1 stated Patient 7's adoption was a private adoption, Patient 7 did not want her information disclosed to the child or the adoptive mother. On 6/26/12 at 3:20 p.m., the financial statement was reviewed and contained Patient 7's name, address, date of service and account number. On 6/26/12 at 4:15 p.m., the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form. ...Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes...The facility may only use or disclose PHI if the patient has given a valid authorization."Refer to CA003137605. On 6/19/12 at 8:45 a.m., Staff 1 stated on 6/5/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed on 6/4/12 Staff 5 (Patient Representative) mistakenly handed Patient 8's financial evaluation form to Patient 9. Staff 1 stated it was Staff 5's responsibility to ensure all PHI was handed to the correct individual. On 6/26/12 at 3:20 p.m., the financial evaluation form was reviewed and contained Patient 8's name, date of birth, address, phone number, social security number, medical record number and account number. On 6/26/12 at 4:15 p.m., the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form. ...Patients have the right to request the facility to communicate with them about their health information in a confidential fashion, including specifying what address or phone number to use for this purpose. Facility staff who communicate with patients, mail information, or leave messages, should verify whether the patient has provided confidential communications information prior to making the communication."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights