ST JUDE MEDICAL CENTER

Report ID: SGP911.01, California Department of Public Health

Reported Entity: ST JUDE MEDICAL CENTER

Issue:

Based on review of hospital documents, the hospital failed to prevent the disclosure of protected health information (PHI) to unauthorized individual(s) and/or entity(ies) for Patients S, U, Rr, W and Y. Findings:1. Review of the hospital's documentation showed a breach of Patient S's PHI had occurred. The hospital's investigation showed Patient S had previously been treated at the hospital under Worker's Compensation insurance. The patient's most recent visit to the hospital's emergency department showed during the registration process, the Worker's Compensation insurance was brought forward as the billing insurance. The hospital was later notified Patient S's employer was billed for the patient's personal visit to the emergency department which was not work related. The PHI disclosed to Worker's Compensation insurance and the patient's employer included the patient's name, address, phone number, services rendered and the cost of those services obtained during the hospital visit.2. On 3/18/11, documentation showed the hospital was made aware a breach of Patient U's PHI had occurred. The hospital's investigation showed the Privacy Officer was notified a patient was incorrectly billed for services received in the emergency department. During Patient U's registration to the emergency department, two persons with the same name came up on the hospital's system. The wrong patient was billed for services rendered by Patient U. Patient U's PHI disclosed to the other patient and the wrong insurance company included the name, address, phone number, medical record number, date of service and the bill for services received by Patient U.3. On 12/14/11, the Department was notified a breach of PHI had occurred on 12/12/11, involving Patient Rr. Patient Rr's PHI had been disclosed to unauthorized individuals. Review of hospital documentation of their investigation showed the hospital was notified by another acute care hospital Patient Rr's face sheet was mixed in with the paperwork of a patient who transferred to them by the hospital. Both patients had similar names but different middle names. The PHI disclosed included the patient's name, demographics, medical record number, diagnoses and physician.4. Hospital documentation showed a breach of Patient W's PHI was discovered on 4/5/11. The hospital investigation showed during the registration process to the emergency department, Patient W was registered with the previously used Worker's Compensation as the patient's insurance. The patient's visit to the emergency department was of a personal nature and not work related. Patient W's employer was billed under Worker's Compensation insurance for the visit. The patient's employer and Worker's Compensation received PHI related to the patient's personal emergency department visit.Patient W's PHI included name, date of birth, medical record number, date of service and a bill for services rendered.5. The Department was notified on 5/25/11, a breach of Patient Y's PHI had occurred. Review of the hospital's investigation showed a minor patient and his responsible party were discharged from the emergency department. The minor patient required a note to return to school. When the minor patient and his responsible party arrived at the school, they noticed the note to return to school was labeled with another patient's label. Patient Y's PHI disclosed included the name, date of birth, medical record number, attending physician and date of admission.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

4 other violations reported on the same date. Note that other citations may be about the same event: L4GG11.01, L4GG11.02, L4GG11.03, TOXG11.01