Adventist Medical Center

Report ID: 8ZGJ11, California Department of Public Health

Reported Entity: ADVENTIST MEDICAL CENTER

Issue:

Based on staff interview, Clinical record, and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Patient 1, 2 and 3's medical information was mailed to an unintended recipient. (refer to CA00411337)2. Patient 4's PHI was faxed to an unintended recipient. (refer to CA00411353)3. Patient 5's PHI was faxed to an unintended recipient. (refer to CA00411388)These failures resulted in the breach of Patient's 1, 2, 3, 4, and 5's PHI and potential for unauthorized use. Findings: Refer to CA004113371. On 9/17/14 at 1:30 p.m., during an interview, the Privacy Officer (PO) stated on 8/6/14, Patient 1, 2 and 3's PHI was mailed by a third party business associate (hospital contracted business) to an unintended recipient.Review of the medical record indicated the following information was mailed on 8/6/14 to the unintended recipient for Patients 1, 2 and 3: Name, date of birth, address, account number, medical record number, financial account number, dates of service and radiology reports. The hospital policy number titled "Compliance With Business Associate Requirements" dated 9/29/13 indicated, "Policy: Compliance-Key Elements A. It is the intent of ... to ensure that contracts with business associates include the required provisions as described in the HIPAA Privacy Security and Breach Notification Rule ... The business associate cannot use or disclose information in any manner, which would not be permissible for the covered entity under the rule."Refer to CA004113532. On 9/17/14 at 1:50 p.m., during an interview, the Privacy Officer (PO) stated on 8/20/14 a Medical Analyst (secretary for the medical records department) accidentally faxed Patient 4's PHI to an unintended recipient. Review of the medical record indicated the records faxed with Patient 4's PHI included; name, date of birth, date of service, medical record, account number, medication list, and medical history . The hospital policy and procedure titled "Faxing Patient Protected Health Information" dated 11/28/12, indicated "It is the policy the organization to authorize faxing of confidential documents only in cases when it is an emergency... It is the senders responsibility to be aware of the content of the faxes they are sending, to exercise caution in faxing confidential information, and to take precautionary steps to; validate the fax number, key in the correct fax number, confirm fax was sent to correct fax number, as well as, request is appropriate and meets minimum necessary."Refer to CA004113883. On 9/17/14 at 1:35 p.m., during an interview, the Privacy Officer (PO) stated on 8/15/14 a Medical Analyst (secretary for the medical records department) accidentally faxed reports including Patient 5's PHI to an unintended recipient. The breach was discovered 8/19/14. Review of the medical records indicated the records faxed with Patient 5's PHI included; name, date of birth, date of service, medical record number, account number, pathology report, and clinical findings.The hospital policy and procedure titled "Faxing Patient Protected Health Information (PHI)" dated 11/28/12, indicated "Policy Summary/Intent: It is the policy the organization to authorize faxing of confidential documents only in cases when it is an emergency... It is the senders responsibility to be aware of the content of the faxes they are sending, to exercise caution in faxing confidential information, and to take precautionary steps to; validate the fax number, key in the correct fax number, confirm fax was sent to correct fax number, as well as, request is appropriate and meets minimum necessary."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights