CLOVIS COMMUNITY MEDICAL CENTER

Report ID: ZD1G11, California Department of Public Health

Reported Entity: CLOVIS COMMUNITY MEDICAL CENTER

Issue:

Based on staff interview and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when Patient 1 received Patient 2's PHI in the mail.This failure resulted in the breach of Patient 2's PHI and the potential for unauthorized use. Findings: On 11/4/14 at 9:30 a.m., during an interview, the Privacy Officer (PO) stated that Patient 2's PHI was breached on 9/29/14 when a financial statement was mailed to Patient 1 containing Patient 2's PHI. The breach was discovered on 10/16/14 when Patient 1 called the patient financial office regarding the statement and it was discovered her address was accidentally linked to Patient 2's account. Review of the medical record indicated the following information was included on the statement: Patients name, date of service, account number, insurance carrier and balance of money due on statement.The hospital policy and procedure titled "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/18/12, indicated "A. Protected Health Information and Records: 2. The paper and electronic records of ..., which contain PHI, are created and maintained for the purpose of providing patient care and for facilitating ... business processes. I. Accurate information: 1. It is the responsibility of all individuals who collect information from patients or who record information about patients in a chart ..., to be as accurate and complete as possible ... N. Data security: 1. Patients have the right to expect that their information is collected, stored and maintained in a reliable manner and sufficient precautions are taken by the hospital to prevent its misuse."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights