KAISER FOUNDATION HOSPITAL - RIVERSIDE

Report ID: X0S111.01, California Department of Public Health

Reported Entity: KAISER FOUNDATION HOSPITAL, RIVERSIDE

Issue:

Based on interview and record review, the facility failed to ensure all patient protected health information (PHI) was kept protected, which resulted in the unauthorized access of the patient's confidential information (Patient 6). Patient 6's confidential information was sent via facsimile to a private home on April 4, 2012, by Staff 1. This resulted in the unauthorized disclosure of Patient 6's protected health information.Findings:On April 16, 2012, at 9:25 a.m., an interview was conducted with the Director of Accreditation/Licensure & Regulatory Affairs (DALRA) and the Director Utilization Review (DUR). The DALRA and DUR stated: a. On April 4, 2012, Patient 6's "Face Sheet" and "Hospital Discharge Summary - Skilled Nursing Facility Transfer (Discharge) Summary and Admission Orders" were faxed to a private home facsimile number by Staff 1. The information was intended to be faxed to a Skilled Nursing Facility.b. On April 4, 2012, the owner of the private home facsimile informed Staff 1 that he was in receipt of six pages of information regarding Patient 6.c. On April 4, 2012, Staff 1 informed the DUR of the unauthorized disclosure of Patient 6's PHI via facsimile to a private home.d. On April 5, 2012, the DUR notified the facility Compliance Officer.e. On April 27, 2012, the original facsimiles sent to the private home facsimile were returned to the facility via the United States mail system.The owner of the private home facsimile number received and had an opportunity to view Patient 6's PHI, which included name, gender, medical record number, date of birth, admission date, address, telephone number, emergency contact information to include there telephone numbers, health insurance information to include member identification numbers, diagnosis, current medications, and admission orders to the Skilled Nursing Facility.Patient 6's responsible party was informed of the disclosure of Patient 6's protected health information (PHI) via a telephone call from the Director Utilization Review, on April 5, 2012, and a letter dated and mailed on April 5, 2012, to Patient 6's last known address.The California Department of Public Health (CDPH) was notified via a telephone call of the unauthorized access of Patient 6's PHI, on April 11, 2012; and via facsimile on April 16, 2012, by a letter dated April 12, 2012. The facility policy and procedure titled "Patients' Rights" revised June 2010, indicated "... To expect all communications and other records pertaining to their care, including the source of payment for treatment, to be treated as confidential. ..."The facility policy and procedure titled "Mitigation of Impermissible Uses and Disclosures of Protected Health Information" revised October 2010, indicated "... Protected Health Information (PHI). Individually identifiable health information, including demographic information ... such as name, date of birth, address, ..."The facility policy and procedure titled "Notification Regarding Breaches of Protected Health Information" revised October 4, 2010, indicated "... Licensee must report to CDPH any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information, as defined, no later than 5 business days after the facility detects the above occurrence. ... A Licensee must also notify the affected patient (or, as applicable, the patient's representative) at the last known address, no later than 5 business days after the Licensee detects the unlawful or unauthorized access to, or use or disclosure of, the patient's medical information. ..."

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

1 other violation reported on the same date. Note that other citations may be about the same event: 1WT011.01