MILLS-PENINSULA MEDICAL CENTER

Report ID: J1TJ11, California Department of Public Health

Reported Entity: MILLS-PENINSULA MEDICAL CENTER

Issue:

1. For CA 00416063Based on interview and record review the facility failed to protect the confidential health information of one sampled patient (Patient 1), when the blood test results of Patient 1 was faxed to an unintended health care provider. This failure resulted in the disclosure of protected health information for Patient 1. Finding: During an interview with the facility Privacy Officer (PO)on 11/12/14 at 10:50 a.m., PO stated that on 10/2/14, the blood test results of Patient 1 was sent to an out of network health care provider having the same first and last names. PO further stated that the Laboratory Coordinator (LC) faxed the blood test results to the wrong provider.Review of the breached document titled: Laboratory Interim Report, collected date of blood test: 10/1/14, indicated the following: Name of Patient 1, Date of Birth, medical record number, account number, phone number, results of the Comprehensive Metabolic Panel (CMP - a group of blood tests that provide information about the body's metabolism) and Complete Blood Count (CBC- blood test that measures several components and features of the blood). The facility letter to the California Department of Public Health (CDPH) indicated that Patient 1 was notified of the breach of medical information on 10/7/14.Review of the facility Policy and Procedure titled: WorkForce Confidentiality and Privacy, 13-810, PolicyStat ID: 429110,Effective Date; 5/1/98, Last revised: 3/18/13. POLICY: It is the policy of XXX (name of the facility) that all members ... safeguard and protect Confidential information ... . 2. For CA 00416622Based on interview and record review the facility failed to ensure that health information was protected for one sampled patient (Patient 1), when the Discharge Summary Form (DSF) of Patient 1 was incorrectly handed to an unintended recipient. This deficient practice resulted in the disclosure of the health and demographic information of Patient 1. Finding: During an interview with the facility Privacy Officer (PO) on 11/12/14 at 11:04 a.m., PO stated that on 10/8/14, the facility discovered that a Traveling Nurse (TN- a contracted staff from a Nurse's Registry) handed the Discharge Summary Form (DSF) of Patient 1 to a "wrong" patient (Patient 2). PO continued to state that Patient 2 informed the facility staff of the breach of medical information on the same day (10/8/14) and confirmed that he (Patient 2) had shredded the documents. Review of the electronic copy of the DSF, undated, indicated the following: name of Patient 1 , Date of birth, sex, race, admission and discharge dates, allergy, vital signs, surgery information, list of medications, name of primary provider, and discharge instructions. The facility letter to the California Department of Public Health (CDPH) indicated Patient 1 was notified of the breach of health information on 10/13/14. Review of the facility Policy and Procedure titled: WorkForce Confidentiality and Privacy, 13-810, PolicyStat ID: 429110,Effective Date: 5/1/98, Last revised: 3/18/13. POLICY: It is the policy of XXX (name of the facility) that all members ... safeguard and protect Confidential information ... . Review of the HIPPA (Health Insurance Portability and Accountability Act) Policy for Travel Nurses, provided by the contracting Nurse's Registry to the facility), dated 5/05, indicated: "... The intent of these laws and policy is to assure that confidentiality of information is appropriately maintained ... . All nurses employed by the XXX (name of the contracting Nurses Registry) are expected to adhere to the following: ... Will follow the HIPPA policy and procedures as defined by each individual health care facility the nurse may be assigned to during her employment ... . "

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights