COMMUNITY REGIONAL MEDICAL CENTER

Report ID: 9D6L11, California Department of Public Health

Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER

Issue:

Based on staff interview, clinical record and administrative document review the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's Explanation of Benefits (EOB) was mistakenly mailed to Patient 2.2. Patient 3's discharge summary was mistakenly faxed to a physician who was not involved in Patient 3's care.3. Patient 4 and Patient 5's billing statements were mistakenly mailed to a private citizens home.4. Patient 6's discharge summary was mistakenly given to Patient 7.These failure placed Patient 1, Patient 3, Patient 4, Patient 5 and Patient 6's PHI at a potential risk for unauthorized use.Findings:Refer to CA003049631. On 5/16/12 at 9:40 a.m., Staff 1 (Privacy Officer) stated on 3/26/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed, Staff 2 (Billing Clerk) mistakenly entered the wrong insurance information for Patient 1. Staff 1 stated due to the error Patient 1's EOB was mailed to Patient 2's home.On 5/24/12 at 3:25 p.m., the EOB was reviewed and contained Patient 1's name, address, phone number, Insurance identification number, Medi-Cal account number, and Medi-Cal newborn hearing account number. On 5/24/12 at 4:40 p.m., the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of [facility] to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form. ...Patients have the right to request the facility to communicate with them about their health information in a confidential fashion, including specifying what address or phone number to use for this purpose. Facility staff who communicate with patients, mail information, or leave messages, should verify whether the patient has provided confidential communications information prior to making the communication." Refer to CA003054822. On 5/16/12 at 9:40 a.m., Staff 1 stated on 3/29/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed, on 3/28/12 Staff 3 (Physician) mistakenly faxed Patient 3's discharge summary to a Radiologist office instead of the intended Cardiologist office. Staff 1 stated the Radiologist had no involvement in Patient 3's care. Staff 1 stated it was staff 3's responsibility to ensure PHI was faxed to the correct destination.On 5/24/12 at 3:25 p.m., the discharge summary was reviewed and contained Patient 3's name, date of birth, date of service, attending physician, medical record number, account number, diagnosis, clinical findings, medication and treatment.On 5/24/12 at 4:40 p.m. the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of [facility] to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form."The facility policy and procedure number 12108, titled " Facsimile Transmission of Health Information, " dated 7/26/10, contained the following documentation: " Staff members faxing patient information shall take reasonable steps to ensure that the fax transmission is sent to the appropriate destination. " Refer to CA003063473. On 5/16/12 at 9:40 a.m., Staff 1 stated on 4/5/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 4 (Accounting Clerk) mistakenly mailed Patient 4 and Patient 5's billing statements to a private citizens home.On 5/24/12 at 3:25 p.m., the billing statements were reviewed and contained the following: Patient 4's name, date of birth, date of service, address, account number, medical record number, guarantor, medication prescribed and procedures including operative, cardiac, laboratory and Intravenous (IV) therapy. Patient 5's name, date of birth, date of service, address, account number, medical record number, guarantor, medication prescribed and procedures including operative, intensive care, IV therapy, physical and occupation therapy, speech pathology, laboratory and medical imaging services.On 5/24/12 at 4:40 p.m., the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of [facility] to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form. ...Patients have the right to request the facility to communicate with them about their health information in a confidential fashion, including specifying what address or phone number to use for this purpose. ...workforce members who communicate with patients, mail information, or leave messages, should verify whether the patient has provided confidential communications information prior to making the communication." Refer to CA003089124. On 5/16/12 at 9:40 a.m., Staff 1 stated on 4/25/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 5 (Unit Clerk) mistakenly gave Patient 6's discharge summary to Patient 7. Staff 1 stated it is the staffs responsibility to check the patients identification band to ensure the right patient was receiving the right documents.On 5/24/12 at 4:40 p.m., the discharge summary was reviewed and contained Patient 6's name, date of birth, weight, height, date of service, medical record number, attending physician, physical assessment, medical history, diagnosis, medication, laboratory results.The facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: It is the policy of [facility] to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form. ...Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes...The facility may only use or disclose PHI if the patient has given a valid authorization.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights