COMMUNITY REGIONAL MEDICAL CENTER

Report ID: YC9F11, California Department of Public Health

Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER

Issue:

Based on staff interview and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's PHI was disclosed to an unauthorized third party. (refer to CA00385189)2. Patient 2's PHI was faxed to an unauthorized recipient. (refer to CA00384426)3. Patient 3's PHI was accessed by an unauthorized employee. (refer to CA00383181)4. Patient 4's PHI was sent to an unauthorized facility. (refer to CA00383028) These failures resulted in not protecting the PHI for Patient's 1-4 and had the potential for unauthorized use of that information. Findings: Refer to CA003851891. On 4/25/14 at 1:35 p.m., during an interview, the Privacy Officer (PO) stated on 1/8/14 Patient 1's PHI was breached when a Clinical Supervisor (CS) and a staff member overheard Registered Nurse 1 (RN 1) on the phone discussing Patient 1's clinical findings with an unauthorized third party. The PO stated RN 2 also admitted to disclosing information to the third party on 1/7/14. The breach was reported on 1/20/14.PHI which was discussed with the third party included Patient 1's condition and the finding of a foreign object which had been removed from Patient 1.The (Hospital) Policy and Procedure titled, "Confidentiality/Breach of Information" dated 8/16/13 indicated: "Confidentiality of Patient Information Protected health information is only to be accessed in relationship to employee's...assigned job duties, on a need to know basis. Accessing any patient information...for unauthorized purposes or not within your scope of assigned duties...is a breach of confidentiality...An individual who observes or is aware of a violation shall report the incident to his/her immediate supervisor/manager/director..."Refer to CA003844262. On 4/24/14 at 1:15 p.m., during an interview, the Privacy Officer (PO) stated on 1/12/14, Registered Nurse 2 (RN 2) misdialed a fax number and Patient 2's medical records were faxed to an unauthorized individual. Review of the medical record indicated the following medical records were faxed; emergency room notes, x-ray reports, EKG results, list of medications, history and physical and nursing notes. PHI included Patient 2's name, date of birth, date of service, medical record number, account number, diagnosis, treatments, results of lab work and medical history.The (Hospital) Policy and Procedure titled, "Facsimile Transmission of Health information" dated 6/14/13 indicated: "Staff members who are faxing patient information shall take reasonable steps to ensure the fax transmission is sent to the appropriate destination by verifying...information prior to transmission...fax number of the requesting party...repeat the fax number to the requestor...If it is determined that a fax was sent in error to an unauthorized individual...immediately contact the receiver and ask them to return the information or make arrangements for a (Hospital) staff member to retrieve the documents."The (Hospital) Policy and Procedure titled, HIPAA General Rules for the Use and Disclosure of PHI dated 4/18/12 indicated: "Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form. It is the responsibility of all (Hospital) workforce members to comply with policies and procedures...identify...security breaches.Refer to CA003831813. On 4/24/14 at 1:25 p.m., during an interview, the Privacy Officer (PO) stated on 1/3/14 an anonymous caller filed a complaint stating they thought a staff member at the hospital was accessing Patient 3's PHI. A full systems audit performed by the hospital indicated inappropriate access by a hospital employee. Review of the medical records indicated; Patient 3's PHI was accessed 31 times on 12/27/13 by the unauthorized individual from their (Hospital) issued lap top computer. PHI included; name, date of birth, medical record number, account number, and clinical information. The (Hospital) Policy and Procedure titled, Confidentiality/Breach of Information dated 8/16/13 indicated: "Confidentiality of Patient Information Protected health information is only to be accessed in relationship to employee's...assigned job duties, on a need to know basis. Accessing any patient information...for unauthorized purposes...is a breach of confidentiality."Refer to CA003830284. On 4/24/14 at 1:40 p.m., during an interview, the Privacy Officer (PO) stated Patient 4's PHI was accidentally placed in a discharge packet for Patient 5 and sent with Patient 5 to an unauthorized facility. Review of medical records indicated the following information for Patient 4 was included in the packet: lab work, emergency room notes, discharge instructions and history and physical. PHI disclosed included Patient 4's name, date of birth, medical records number, account number and clinical information.The (Hospital) Policy and Procedure titled, HIPAA General Rules for the Use and Disclosure of PHI dated 4/18/12 indicated: "Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form. It is the responsibility of all (Hospital) workforce members to comply with policies and procedures...identify...security breaches."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights