FEATHER RIVER HOSPITAL

Report ID: XZ2Y11.01, California Department of Public Health

Reported Entity: FEATHER RIVER HOSPITAL

Issue:

Based on interview and record review, the facility failed to protect confidential health information for one patient. (Patient 1)Findings:On 11/30/11 at 1 pm, the facility's privacy officer stated that on 10/10/11 at 8:30 pm, Laboratory Staff 1 (LS 1) gained unauthorized access to Patient 1's medical information and shared the information with her coworkers. The privacy officer stated that LS 1 had accessed Patient 1's name and admitting diagnosis. Patient 1 was the 2 year old son of a phlebotomist supervisor. On 11/30/11 at 1:30 pm, the Laboratory Director (LD) 2 recalled that LS 1 had been caught by Phlebotomy Supervisor (PS) 3 on 10/10/11 at 8:30 pm, viewing a computer screen displaying a software program called PowerChart. The computer screen listed patients and diagnoses that LS 1 had been previously warned by supervisory staff not to view. LD 2 stated that LS 1 had been directed only to look patients up individually and not access full page screens with patient lists. He stated that LS 1 conducted an Internet search to learn more about Patient 1's diagnosis after obtaining the diagnosis from the PowerChart which she freely shared with her coworkers. On 11/30/11, the computer screen (PowerChart) used by LS 1 was reviewed. The screen contained the name, room, bed, date of birth, account number, length of stay, physician, medical record number, admission date, admitting diagnosis and age of multiple patients. LD 2 stated the number of patients visible would depend on the census for the unit chosen; however, LS 1 had only been interested in Patient 1's name and diagnosis at the time of the breach discovery.During a telephone interview on 3/6/12 at 11:05 am, LD 2 stated that LS 1 accessed the computer screen that had lists of patients and their diagnoses. It was not a computer site that LS 1 would normally use or would need to access in her daily job routine. No other lab personnel had access to this screen/site. LD 2 explained that a former lab director had given LS 1 permission at that time. He explained that the site access could not be removed from LS 1's computer, because the facility's software computer system had no way of deleting it.During an interview on 3/6/12 at 1 pm, LD 2 stated the only time a lab employee would have permission to go into the site that LS 1 accessed would be if he was instructed to do so by himself (lab director) or a supervisor. At that time, it would only be to search for a definitive individual name. Otherwise, LD 2 stated, "The lab employees are not allowed to access this site-period."During a telephone interview on 3/6/12 at 5:40 pm, PS 3 stated she saw LS 1 access the computer screen that showed the names and diagnoses of all patients in the hospital. PS 3 stated she informed LS 1 that she should not be accessing that site. PS 3 stated LS 1 had told her that another supervisor's son (Patient 1) was in the hospital and asked her what his diagnosis meant. PS 3 stated she told LS 1 that she did not know what the diagnosis was and again informed LS 1 that she should not be looking at patients' names and diagnoses. PS 3 stated she saw LS 1 use the computer's Internet site that defined Patient 1's diagnosis and then listened to an audio version of the signs and symptoms of the patient's diagnosis. PS 3 stated she had been a relatively new supervisor at that time of the breach and was unsure of what the protocol was and/or what to do about LS 1 being seen on 10/10/11 viewing the prohibited site. PS 3 stated she reported the breached information incident to LD 2 at the next supervisor meeting on 11/9/11, a month later.

Outcome:

Fine imposed and deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

The report containing this deficiency also includes information about 4 other violations. Note that these may be related to the same event: XZ2Y11.02, XZ2Y11.03, XZ2Y11.04, XZ2Y11.05