SHASTA REGIONAL MEDICAL CENTER

Report ID: UCFP11.04, California Department of Public Health

Reported Entity: SHASTA REGIONAL MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to ensure that an unauthorized disclosure of Patient 1's medical information was reported to the California Department of Public Health (CDPH) and to Patient 1 within 5 business days after the disclosure occurred and was detected. Finding 1:(a) On 1/30/12 at 1:45 pm, Hospital General Council D stated he received Patient 1's medical information from Hospital Chief Executive Officer (CEO) E. Hospital General Council D forwarded Patient 1's medical information to Hospital Communications Director G to write a letter rebutting misinformation that was to be published by News Agency A. Patient 1's diagnoses, lab values, medical/health consultations, and discharge information were disclosed in the letter, dated 12/13/11, and sent to News Agency A's reporter on 12/13/11 at 5:16 pm. Hospital General Council D stated he did not secure Patient 1's permission to disclose her medical information.The facility failed to notify the CDPH of this disclosure of Patient 1's medical information during the five business day period ending on 12/20/11. As of 1/5/12, the date this investigation started, CDPH determined that the facility had never notified the Department of this unauthorized disclosure of Patient 1's medical information. (b) On 1/26/12 at 1:25 pm, Hospital Chief Executive Officer (CEO) E stated that on 12/16/11 at 4 pm, he, Hospital Media Relations Staff H, and Hospital Chief Medical Officer (CMO) F took Patient 1's medical record for her admission, 1/29/10 to 2/2/10, to News Agency B's editor's office. Hospital CEO E stated that Hospital CMO F went through Patient 1's record and shared diagnoses, progress notes, lab values, medical /health consultations, and discharge information with News Agency B's reporter. Hospital CEO E stated he did not secure Patient 1's permission to disclose her medical information.The facility failed to notify the CDPH of this disclosure of Patient 1's medical information during the five business day period ending on 12/23/11. As of 1/5/12, the date this investigation started, CDPH determined that the facility had never notified the Department of this unauthorized disclosure of Patient 1's medical information. (c) On 1/26/12 at 1:25 pm, Hospital CEO E stated that he issued a memo, dated 12/20/11 at 9:53 am, to all hospital employees and medical staff, which included Patient 1's physicians' assessments, lab values, diagnoses, medical/health consultations, and discharge information. Hospital CEO E stated he did not secure Patient 1's permission to disclose her medical information.The facility failed to notify the CDPH of this disclosure of Patient 1's medical information during the five business day period ending on 12/28/11. As of 1/5/12, the date this investigation started, CDPH determined that the facility had never notified the Department of this unauthorized disclosure of Patient 1's medical information. (d) On 2/1/12 at 9:51 am, News Agency C's reporter stated he received the above memo, dated 12/20/11, in an e-mail communication on 12/27/11 at 4:08 pm from Hospital Communications Director G. On 1/4/12, News Agency C's Reporter published a news article that included a link to this memo on the Internet. On 1/30/12 at 1:40 pm, Hospital Communication Director G confirmed that he had not secured Patient 1's permission to disclose her medical information.The facility failed to notify the CDPH of this disclosure of Patient 1's medical information during the five business day period ending on 1/4/12. Hospital CEO E stated the CDPH was notified by mail on 1/4/12. The CDPH had not received a notification of this disclosure. After further review, Hospital CEO E found the letter had been sent to a wrong address.Finding 2:(a) On 1/30/12 at 1:45 pm, Hospital General Council D stated he received Patient 1's medical information from Hospital Chief Executive Officer (CEO) E. Hospital General Council D forwarded Patient 1's medical information to Hospital Communications Director G to write a letter rebutting information that was to be published by News Agency A. Patient 1's diagnoses, lab values, medical/health consultations, and clinical presentation were disclosed in the letter, dated 12/13/11, and sent to New Agency A's reporter on 12/13/11 at 5:16 pm. Hospital General Council D stated he did not secure Patient 1's permission to disclose her medical information. (b) On 1/26/12 at 1:25 pm, Hospital Chief Executive Officer (CEO) E stated that on 12/16/11 at 4 pm, he, Hospital Media Relations Staff H, and Hospital Chief Medical Officer (CMO) F took Patient 1's medical record for her admission, 1/29/10 to 2/2/10, to News Agency B's editor's office. Hospital CEO E stated that Hospital CMO F went through Patient 1's record and shared diagnoses, progress notes, lab values, medical/health consultations, and discharge information with News Agency B's editor. Hospital CEO E stated he did not secure Patient 1's permission to disclose her medical information.(c) On 1/26/12 at 1:25 pm, Hospital CEO E stated that he issued a memo, dated 12/20/11 at 9:53 am, to all hospital employees and medical staff which included Patient 1's physicians' assessments, lab values, diagnoses, medical/health consultations, and discharge information. Hospital CEO E stated he did not secure Patient 1's permission to disclose her medical information.On 1/26/12 at 1:25 pm, Hospital CEO E stated Patient 1 was notified on 1/4/12 at 4:07 pm that her medical information had been disclosed to unauthorized individuals. This notification occurred 15 days after the five day reporting period had expired on 12/20/11.

Outcome:

Fine imposed and deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

The report containing this deficiency also includes information about 4 other violations. Note that these may be related to the same event: UCFP11.01, UCFP11.02, UCFP11.03, UCFP11.05