COMMUNITY REGIONAL MEDICAL CENTER

Report ID: KYGR11.01, California Department of Public Health

Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER

Issue:

Based on staff interview, and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's PHI was faxed in error to the wrong insurance company. (refer to CA00363924).2. Patient 2's PHI was faxed in error to am unauthorized third party. (refer to CA00363772).3. Patient 3's PHI was disclosed to an inappropriate payer. (refer to CA00362404).This failure resulted in unauthorized access to Patient 1 - 3's PHI and the potential for abuse of that information.Findings:Refer to CA00363924.1. On 01/07/14 at 9:10 a.m., during an interview, the (Privacy Officer) PO stated that on 07/22/13 the Utilization Review Coordinator (URC) for Case Management had faxed Patient 1's utilization information to the wrong insurance company. The PO stated that URC should have verified the correct efax number before faxing utilization information, but this was not done.Patient 1's PHI breached included patient name, date of birth, account number and clinical assessment related to Patient 1's hospitalization on 07/06/13.The hospital's policy and procedure titled "HIPAA General Rules for the use and Disclosure of PHI" dated 4/08/12, indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which includes employee, trainees, students, volunteers, and other designated persons."Refer to CA00363772.2. On 01/07/14 at 9:20 a.m., during an interview, the PO stated that on 07/23/2013 she was notified by a law firm that they had received an itemized billing statement from the hospital for the wrong patient (Patient 2). The information had been sent from a copy service on behalf of the hospital. The statement received by the attorney's office belonged to a patient (Patient 2) with the same last name as the attorney's client. The PO stated that the copy service should have verified the date of birth and social security number before faxing Patient 2's information, but that was not done.Patient 2's PHI breached included the patient name, medical record number, account number, insurance identification and itemized service for services rendered.The hospital's policy and procedure titled "HIPAA General Rules for the use and Disclosure of PHI" dated 4/08/12, indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which includes employee, trainees, students, volunteers, and other designated persons."Refer to CA00362404.3. On 01/07.2014 at 9 a.m., during an interview, PO stated The Finance Department notified her on 07/10/2013 that they sent Patient 3's bill to the wrong insurance company. The insurance company then sent an evidence of coverage statement that included Patient 3's PHI to the wrong family. The insurance did cover an individual with the same name and date of birth as Patient 3. The hospital billing staff should have validated the address of Patient 3 before sending Patient 3's statement to the insurance company.Patient 3's PHI breached included address, medical record number and account number.The hospital's policy and procedure titled "HIPAA General Rules for the use and Disclosure of PHI" dated 4/08/12, indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which includes employee, trainees, students, volunteers, and other designated persons."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Related Reports:

1 other violation reported on the same date. Note that other citations may be about the same event: 5WJJ11.01