KINDRED HOSPITAL - ONTARIO

Report ID: B82411, California Department of Public Health

Reported Entity: KINDRED HOSPITAL ONTARIO

Issue:

Based on interview and record review, the facility failed to ensure confidential treatment of protected health information (PHI) of Patient A, Patient B, Patient C, and Patient D when Employee 1 sent medical records of Patient A, Patient B, Patient C, and Patient D in error to an insurance company, instead of the intended patient ' s medical records. This failure resulted in a confidentiality breach of PHI for Patient A, Patient B, Patient C, and Patient D.Findings:On September 24, 2014 at 4:30 PM, a phone interview was conducted with DQM (Director of Quality Management) regarding an entity reported incident of a breach of PHI for Patient A, Patient B, Patient C, and Patient D. DQM stated the manager of medical records discovered the breach on September 2, 2014 while she was reviewing copies of the records, which had been recently sent out to the insurance company. DQM stated Employee 1, who was in charge of preparing medical records of a patient to be sent out as requested by the insurance company, did not verify all contents of records for accuracy before sending them out. As a result, medical records of Patient A, Patient B, Patient C, and Patient D were unknowingly sent along with medical records of the intended patient to the insurance company. During a review of the records sent out to the insurance company, the following information was unintendedly disclosed: 1. Patient A: "Patient registration data" (including the patient's full name, Kindred-issued medical record number, last four digits of social security number, patient's home address, home phone number, admission date, admission location, diagnosis, contact information of next of kin and emergency contact, and guarantor information), and, "History and Physical," record.2. Patient B: "Patient registration data" (including the patient's full name, Kindred-issued medical record number, last four digits of social security number, patient's home address, home phone number, admission date, admission location, diagnosis, contact information of next of kin and emergency contact, and guarantor information), and, "Operative/Procedure report".3. Patient C: "Patient registration data" (including the patient's full name, Kindred-issued medical record number, last four digits of social security number, patient's home address, home phone number, admission date, admission location, diagnosis, contact information of next of kin and emergency contact, and guarantor information), and, "History and Physical," record.4. Patient D: "Patient registration data" (including the patient's full name, Kindred-issued medical record number, last four digits of social security number, patient's home address, home phone number, admission date, admission location, diagnosis, contact information of next of kin and emergency contact, and guarantor information), and, "Operative/Procedure report".A review of the facility's policy and procedure titled "Safeguards: Paper Documents Containing Protected Health Information," dated, "7/19/13" stipulated, "All reasonable safeguards will be taken to reduce the potential for unauthorized acquisition, access, use or disclosure of PHI."The failure of Employee 1 to ensure the correct records were prepared and sent to the insurance company resulted in an unauthorized disclosure of PHI for Patient A, Patient B, Patient C, and Patient D.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights