Adventist Medical Center

Report ID: O84811, California Department of Public Health

Reported Entity: ADVENTIST MEDICAL CENTER

Issue:

Based on staff interview and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's medical information was faxed to an unauthorized recipient. (refer to CA00351719)2. Patient 3's PHI was faxed to an unauthorized recipient. (refer to CA00351704)3. Patient 4's PHI was given to Patient 5 at time of discharge. (refer to CA00351715)These failures resulted in not protecting the PHI for Patient's 1, 3 and 4 and had the potential for unauthorized use. Findings: Refer to CA003517191. On 12/18/13 at 9:16 a.m., during an interview, Privacy Officer 1 (PO 1) stated the Health Information Management Clerk (HIMC) received a request for Patient 2's PHI from a provider. The HIMC faxed Patient 1's PHI to the provider in error.Review of the medical record indicated the following PHI for Patient 1 was faxed to the provider; Patient 1's history and physical, emergency room reports, radiology reports and laboratory reports. The reports contained Patient 1's name, date of birth, medical record number, account number, dates of service, laboratory and x-ray results, medications and health history. The (Hospital) Policy number 1000.03.14: Faxing Patient Protected Health Information, dated 11/18/09 indicated, Policy Summary/Intent: "It is the policy the organization...It is the senders responsibility to be aware of the content of the faxes they are sending, to exercise caution in faxing confidential information, and to take precautionary steps to; validate the fax number, key in the correct fax number, confirm fax was sent to correct fax number, as well as, request is appropriate and meets minimum necessary." Refer to CA003517042. On 12/18/13 at 9:15 a.m., during an interview, Privacy Officer 1 (PO 1) stated on 4/16/13 Patient 3's PHI was breached when the Radiology Scheduler (RAD SCH) selected the wrong provider for Patient 3 and then faxed Patient 3's PHI to the wrong provider.Patient 3's PHI included name, medical record number, account number, physician and findings. The (Hospital) Policy number 1000.03.14: Faxing Patient Protected Health Information, dated 11/18/09 indicated, Policy Summary/Intent: "It is the policy the organization...It is the senders responsibility to be aware of the content of the faxes they are sending, to exercise caution in faxing confidential information, and to take precautionary steps to; validate the fax number, key in the correct fax number, confirm fax was sent to correct fax number, as well as, request is appropriate and meets minimum necessary." Refer to CA003517153. On 12/18/13 at 9:20 a.m., during an interview, the Privacy Officer (PO) stated Patient 4's two prescriptions for medication were given to Patient 5 by the Registered Nurse (RN) in the emergency room at time of Patient 5's discharge.Patient 4's PHI on the prescriptions included; Patient 4's name, address, phone number, date of birth, gender, medical record number, medication, dosage, date of service and prescribing physician. The (Hospital) policy and procedure number 1000.08.09 titled Confidentiality of Protected Health Information dated 5/14/10 indicated: "[Hospital] is committed to protecting the privacy and security of protected health information (PHI)...It is the policy to maintain confidentiality for patients and employees at all times and under all circumstances. ...Breach of patient confidentiality through carelessness is when patient information is unintentionally or carelessly accessed, reviewed, or revealed without a legitimate need to know the patient information."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights