SAN FRANCISCO GENERAL HOSPITAL

Report ID: 2NUH11.01, California Department of Public Health

Reported Entity: SAN FRANCISCO GENERAL HOSPITAL

Issue:

Based on interview and record review, the facility failed to ensure the confidentiality of Patient A's protected health information (PHI) when Staff 1 reviewed Patient A's Lifetime Care Record, (LCR - electronic medical record) without authorization and Staff 1 shared Patient A's PHI with member(s) of Patient A's family. Findings:During a interview on 4/1/14 at 3:30 PM, the Nurse Manager (NM) for the Family Health Clinic and the Director of Clinical Operations (DCO) stated that on 2/24/14 the Privacy Officer (PO) notified them that there had been a potential privacy breach at the Women's Health Clinic. They stated that on 2/6/14, Patient A had filed a complaint with the Patient Advocate Office stating that Patient A believed that someone accessed her LCR and released information, without authorization, which resulted in personal difficulty for Patient A.The facility provided a copy of Patient A's "Patient Concern Statement",dated 2/6/14 at 6:30 PM. Record review indicated that Patient A was alleging that someone went into her records of 9/2013 and released her information. Patient A went on to say "that by them doing that they caused confusion in my marriage." The NM and DCO went on to say that the PO had an audit performed and it indicated that a member of their staff, Staff 1, had accessed Patient A's LCR on two occasions. They told the PO that in her duties in the Family Health Clinic, Staff 1 had no need to access Patient A's record.In a telephone interview on 4/2/15 at 11:45 AM,the PO stated the Patient Advocate Office contacted her about Patient A's concern about a possible breach of medical information. On 2/25/14, she (the PO) authorized the Informational Technology Department to run an audit of all users who had accessed Patient A's LCR. This audit report was analyzed by the Privacy Analyst to determine which users had a business justification for entering Patient A's LCR. The PO stated that a second audit was done to highlight those users who did not have an apparent reason for accessing Patient A's LCR. The PO stated that she personally reviewed both audits and Staff 1 was the only user with no apparent justification for accessing Patient A's LCR.The PO provided copies of both of these audits. Record review confirmed that Staff 1 had accessed Patient A's LCR on 9/9/13 and 12/26/13.In a telephone interview on 5/24/14 at 2:45 PM, the PO stated that during the 12/26/13 access, Staff 1 spent approximately twenty minutes reviewing eleven fields in Patient A's LCR, including doctors' notes, procedures, and all appointments. The PO went on to discuss the following steps in her investigation. The PO said she was having difficulty contacting Patient A. When the audit results became available she met with Staff 1 for an interview on 2/26/14.During this 2/26/14 interview, Staff 1 admitted to accessing Patient A's record, without authorization, and giving this information to the family member of Patient A's who had requested Staff 1 to review Patient A's LCR. The PO placed Staff 1 on Administrative Leave pending a follow-up interview with her Union Representative.The PO stated she did have a telephone conversation with Patient A who was hesitant to add any details to her original complaint. The PO stated Patient A knew Staff 1 to be a friend of her mother's. Patient A told the PO she also knew her information had been released to a family member because she, Patient A, had seen a copy of her chart which the family member had in his/her possession. Patient A declined to say which family member had possession of the copy of her LCR. The PO stated that on 3/14/14, the interview with Staff 1 was resumed with Staff 1's Union Representative in attendance. During this 3/14/14 interview, Staff 1 stated she knew Patient A's mother and it was Patient A's mother who had asked her to review Patient A's chart. The PO said she asked Staff 1 if she had printed any parts of Patient A's LCR, and Staff 1 said she had accidentally printed some of it which she shredded.During a telephone interview on 4/2/15 at 11:45 AM, the PO stated that the Information Technology Department had told her there was no way that they could determine if a field in the LCR had been printed.The PO provided a copy of her Investigate Report regarding Staff A and Patient A. Record Review indicated that it confirmed the telephone conversations regarding the investigation.Record review indicated Staff 1 had received annual Compliance Training 9/11/13, and Patient Privacy and Information Security Training 9/17/13.Record review indicated Staff 1 had signed a Confidentiality, Security and Electronic Signature Agreement 10/4/12 and again on 2/22/13.Record Review indicated Staff 1 had received HIPAA Privacy and Confidentiality Training during her initial orientation to the hospital.The hospital's policy and procedure "HIPAA Compliance: Authorization for Use and Disclosure of Protected Health Information" dated 12/12, which describes the procedures for obtaining authorization to access and disclose information which Staff 1 was supposed to follow but which she did not follow with Patient A's protected health information.The hospital's policy and procedure "Health Information Services: Confidentiality, Security, and Release of Protected Health Information" dated 6/21/11, stated "Protected health information may be released only for approved purposes, and with proper authorization from the patient..." Staff 1 did not follow this policy and procedure.The facility provided a copy of the letter to Staff 1, dated 4/18/14, which indicated that Staff 1 had been permanently dismissed from her position at the facility.The Hospital failed to ensure the confidentiality of Protected Health Information and personal medical information when Staff 1 accessed Patient A's Lifetime Care Record and released this information to unauthorized recipient(s). The employee's action to access the patients' medical information for improper purpose violated Health and Safety Code 1280.15 (a) and is therefore subject to the applicable civil penalty assessment.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

The report containing this deficiency also includes information about 1 other violation. Note that these may be related to the same event: 2NUH11.02