COMMUNITY HOSPITAL OF THE MONTEREY PENINSULA

Report ID: UUVD11.01, California Department of Public Health

Reported Entity: COMMUNITY HOSPITAL OF THE MONTEREY PENINSULA

Issue:

Based on interview and record review, the hospital failed to prevent unauthorized disclosure of patient health information (PHI) for 24 of 24 sampled patients (1-24), when a briefcase containing PHI for 24 patients was stolen from a car. The failure resulted in the disclosure of 24 patients' PHI to an unauthorized individual(s). Findings:The California Department of Public Health received an online report on 7/21/14, which indicated, on 7/16/14 a staff member (HC) of one of the hospital affiliated entities (Entity 1) had a briefcase, containing documents of 24 hospital patients' PHI, stolen from her car. The documents contained patients' names, policy numbers, personal contact information, telephone numbers, employer names, and physician names. The police were called and a police report was filed.During an interview on 10/17/14 at 12:40 p.m., the privacy officer (PO) stated HC's briefcase containing PHI was stolen from her car during non-business hours. PO stated HC drove home with the briefcase, got out of her car, left it unlocked, and spoke to with a neighbor. When she went back to her car the briefcase was gone. PO stated HC stayed near her car, and had not entered her house when the briefcase was stolen. During an interview on 10/17/14 at 1:35 p.m., PO stated the hospital permitted taking PHI from the hospital for work purposes only, but it needed to be kept secured. PHI should be placed in the trunk of the car if the staff member has one, or at least be kept out of sight. If the PHI was taken home, it should have been brought inside the home, and locked so family could not access it.During a telephone interview on 10/20/14 at 1:30 p.m., HC stated she had driven home from work, had stopped her car short of parking, and got out of the car. HC stated she was within 25 to 50 feet of the car, with her back to the car, talking with someone. HC stated she got back in the car to park it and immediately noticed her purse and work bag had been stolen. HC stated she called the police and filed a report. HC stated she was trained to print one document ("Inpatient Facesheet") from the electronic medical records which contained the address and telephone number for the patients she will visit. HC was not able to recall what else was disclosed on the Facesheet or how many Patient Facesheets she had printed.A review of a copy of a Facesheet HC had printed disclosed hospital name, patient's name, address, telephone number, social security number, sex, date of birth, medical record number, physician's name, admitting diagnosis, insurance information, and next of kin with telephone number.A review of a copy of a letter from the hospital dated 7/21/14 to the affected patients/representatives indicated a document which contained patient name, address, telephone number, date of birth, social security number, insurance name and policy number, personal contact names and telephone numbers, medical record number, employer name, and physician name had been stolen from an employee's automobile.A review of a copy of Entity 1's 3/13/13 "Confidentiality of Information" policy indicated "Copies of clinical records, or excerpts of same, cannot be removed from [Entity 1] except by subpoena, where statutory law requires it, or on written authorization of [Entity 1]."A review of a copy of the hospital's 03/2012 "Confidentiality of Patient and Hospital Business Information" policy indicated "All employees (which for purposes of this policy include contracted staff) are responsible for upholding hospital privacy, confidentiality, ethics, and information security policies and procedures, including those contained in the notice of privacy practices."

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

1 other violation reported on the same date. Note that other citations may be about the same event: 34X511.01