VALLEY CHILDREN'S HOSPITAL

Report ID: JUI711, California Department of Public Health

Reported Entity: CHILDRENS HOSPITAL CENTRAL CALIFORNIA

Issue:

Based on staff interview and facility administrative document review the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's prescription was mistakenly given to Patient 2.2. Patient 3's discharge instructions and appointment letter was mistakenly given to Patient 4.3. A prescription containing Patient 5's PHI was mistakenly given to Patient 6.4. Patient 7's discharge instructions was mistakenly given to Patient 8.These failures placed Patient 1, Patient 3, Patient 5, and Patient 7's PHI at a potential risk for unauthorized use.Findings:Refer to CA003045861. On 5/7/12 at 10:10 a.m., Staff 1 (Privacy Officer) stated on 3/21/12 the facility identified a possible privacy breach. The facility's internal investigation revealed Patient 1's prescription was mistakenly given to Patient 2 during the discharge process. Staff 1 stated the facility's policy was to check the patient's identification band to ensure the right patient receives the right document. On 5/7/12 at 10:22 a.m., Staff 1 stated the prescription contained Patient 1's name, date of birth, date of service, and prescribed treatment.On 5/16/12 the facility policy and procedure number 1.1521, titled "PHI, Use and Disclosure" contained the following documentation: "Children's Hospital and its employees are committed to protect the privacy of patients' health information and to comply with applicable federal and state laws that protect the privacy and security of patients' health information." The facility policy and procedure number PR-1016, titled "Confidentiality" contained the following documentation: "Children's Hospital will maintain adequate administrative, technical and physical safeguards to protect the privacy of confidential information from unauthorized use or disclosure, whether intentional or unintentional."Refer to CA003052792. On 5/7/12 at 10:10 a.m., Staff 1 stated on 3/23/12 the facility identified a possible privacy breach. The facility's internal investigation revealed Staff 2 (Registered Nurse) mistakenly gave Patient 3's discharge instructions and appointment letter to Patient 4 during the discharge process. Staff 1 stated Staff 2 failed to check the patient's identification band to ensure the right patient received the right documents.On 5/7/12 at 10:22 a.m., Staff 1 stated the discharge instructions and appointment letter contained Patient 3's name, date of birth, date of service, medical record number, account number and scheduled follow-up appoint.On 5/16/12 the facility policy and procedure number 1.1521, titled "PHI, Use and Disclosure" contained the following documentation: "Children's Hospital and its employees are committed to protect the privacy of patients' health information and to comply with applicable federal and state laws that protect the privacy and security of patients' health information. The facility policy and procedure number PR-1016, titled "Confidentiality" contained the following documentation: "Children's Hospital will maintain adequate administrative, technical and physical safeguards to protect the privacy of confidential information from unauthorized use or disclosure, whether intentional or unintentional."Refer to CA003063023. On 5/7/12 at 10:10 a.m., Staff 1 stated on 4/3/12 the facility identified a possible privacy breach. The facility's internal investigation revealed Staff 3 (Physician) mistakenly gave Patient 6 a prescription that contained Patient 5's PHI during the discharge process. Staff 1 stated Staff 3 failed to check the patient's identification band to ensure the right patient received the right documents.On 5/7/12 at 10:22 a.m., Staff 1 stated the prescription contained a label with Patient 5's name, date of birth, date of service and account number.On 5/16/12 the facility policy and procedure number 1.1521, titled "PHI, Use and Disclosure" contained the following documentation: "Children's Hospital and its employees are committed to protect the privacy of patients' health information and to comply with applicable federal and state laws that protect the privacy and security of patients' health information." The facility policy and procedure number PR-1016, titled "Confidentiality" contained the following documentation: "Children's Hospital will maintain adequate administrative, technical and physical safeguards to protect the privacy of confidential information from unauthorized use or disclosure, whether intentional or unintentional."Refer to CA003063064. On 5/7/12 at 10:10 a.m., Staff 1 stated on 4/4/12 the facility identified a possible privacy breach. The facility's internal investigation revealed Patient 7's discharge instructions was mistakenly given to Patient 8 during the discharge process. Staff 1 stated the facility's policy was to check the patient's identification band to ensure the right patient receives the right document. On 5/7/12 at 10:22 a.m., Staff 1 stated the discharge instructions contained Patient 7's name, date of birth, date of service, medical record number, account number, attending physician, diagnosis, medication and scheduled follow-up appoint.On 5/16/12 the facility policy and procedure number 1.1521, titled "PHI, Use and Disclosure" contained the following documentation: "Children's Hospital and its employees are committed to protect the privacy of patients' health information and to comply with applicable federal and state laws that protect the privacy and security of patients' health information." The facility policy and procedure number PR-1016, titled "Confidentiality" contained the following documentation: "Children's Hospital will maintain adequate administrative, technical and physical safeguards to protect the privacy of confidential information from unauthorized use or disclosure, whether intentional or unintentional."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights