VICTOR VALLEY GLOBAL MEDICAL CENTER

Report ID: O5XD11, California Department of Public Health

Reported Entity: VICTOR VALLEY GLOBAL MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI), when a registered nurse (RN1) gave copies of Patient A's lab results to Patient B on May 13, 2013. The PHI disclosed for Patient B included name, date of birth, medical record number, account number, age and the following lab results for Patient B:Urinalysis (test that examines the urine), Complete Blood Count (CBC-a blood test to measure white, red blood cells and platelets), Comprehensive Metabolic Panel (CMP-a blood test that helps to diagnose conditions such as diabetes, kidney or liver function), Serum Lipase (a blood test to measure the amount of a protein Lipase in the blood to help diagnose pancreatitis which is inflammation of the pancreas), Protime and Partial Thromboplastin Time (PT, PTT-Blood tests to help determine the body's ability to clot and investigate bleeding), Troponin I (A protein released by the heart muscle into the blood following damage of the heart muscle) and Urine drug screen, (A test of the urine to identify if specific drugs are present). Finding:On July 14, 2014 a review of the face sheet for Patient A indicated that Patient A was admitted to the facility ED on May 11, 2013 at 9:40 PM. On May 12, 2013 at 11:00 AM, Patient A was admitted as an inpatient to the facility with a diagnosis of pancreatitis (inflammation of the pancreas).On July 14, 2013, a review of the face sheet for Patient B indicated that Patient B was admitted to the facility ED on May 11, 2013 at 7:41 AM. On May 13, 2013, Patient A was admitted as an inpatient to the facility with a diagnosis of post procedure sepsis (infection of the body).On July 17, 2014 at 9:15 AM, a telephone interview was conducted with the Facility Privacy Officer (FPO) regarding a complaint received by California Department of Public Health, Licensing and Certification Division (CDPH L&C) on May 15, 2013 concerning a potential breach of PHI for Patient A. The FPO stated, " I was not aware of the potential breach until CDPH L&C brought it to my attention during a telephone conversation on July 1, 2014. " " My investigation and follow up with the Director of Emergency Department (ED) on July 16, 2014 indicated that the Director of Quality (DQ) who was employed at that time approached the Director of ED, exact date unknown, to discuss and investigate a possible breach of PHI. The Director of ED indicated that he had reviewed the medical record for Patient B and the medical record indicated that RN1 had given a copy of test results to Patient B. When the Director of ED discussed the case with RN1, RN1 informed him that she had given copies of lab results to Patient B and was reviewing them with Patient B when she realized that she had given copies of Patient A ' s results to Patient B instead. " The FPO further stated, " I worked with the DQ at the time of breach in the Risk Management Department. If the DQ had received a complaint/concern that a HIPAA violation had occurred she would have forwarded the information to me. I would have logged it and followed up. I never received it and there is no logged entry of the incident. " On July 21, 2014 at 11:45 AM during a telephone interview with the Director of ED, he stated " Around the time of occurrence, he was informed by the DQ that she had received a complaint from Patient B regarding a possible breach of PHI. He further stated that his investigation revealed that RN1 had given a copy of Patient A ' s lab results to Patient B and noticed the error while she was reviewing the lab results with Patient B. RN1 was counseled. "When asked why RN 1 did not report the potential breach of Patient A ' s PHI, the Director of ED stated, " She didn ' t think it was a big deal at the time as she caught it right there when it happened. "A review of the facility policy and procedure titled, "Confidentiality and Protected Health Information " , effective date October 2010 indicated: " 6. Protecting PHI: "a. Appropriate levels of protection of confidentiality shall be afforded to all Printed PHI "A review of the facility document titled, " Notice of Privacy Rights " effective date January, 2004 and revised September 2013 indicated:" 7. Authorizations "" Other than the uses and disclosures described above (1-6), we will not use or disclose medical information about you without the " authorization " or signed permission of you or your personal representative. " The facility failed to protect Patient A's right to privacy resulting in the unauthorized disclosure of Patient A's PHI to Patient A without consent.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights