Scripps Mercy Hospital

Report ID: 0O6711, California Department of Public Health

Reported Entity: SCRIPPS MERCY HOSPITAL

Issue:

Based on interview, record and document review the hospital failed to ensure that Patient 2's personal and protected health information (PHI) was kept confidential when a Information Coordinator Representative (ICR) mailed portions of Patient 2's medical record to Patient 1. As a result of this failure, Patient 1 had access to Patient 2's personal information.Findings:An investigation of an entity reported privacy breach was initiated on 9/2/14. It was reported to the California Department of Public Health that, on 7/21/14 an unauthorized and inadvertent disclosure of Patient 2's medical information was mailed to Patient 1's home address. On 9/2/14 at 3:45 P.M., an interview was conducted with the Clinical Risk Specialist (CRS). The CRS stated that Patient 1 had signed a release to have her medical records mailed to her home address. The CRS stated that Patient 1 called the hospital on 7/21/14, and informed the hospital that the records sent by mail was another patients medical record (Patient 2's). The CRS stated that the process for the release of medical records was that the patient signed a "Release of Information" the request was entered and sent to the medical records department. The ICR was responsible for ensuring that the printed documents had the correct patient information. The CRS stated that the ICR should have checked the "Release" form against the records to ensure that the correct record was printed. The CRS stated that the release was entered under the wrong patient and that the ICR should have checked the release with that request, but that this step was not done. On 9/3/14 at 9:50 A.M., a review of the documents mailed to Patient 1 was conducted. Patient 1 received the following:1) Patient 2's "Emergency Record", dated 6/23/11, which included; Date of Service, medical record number, account number, history of event that brought Patient 2 to the emergency room, and the course of treatment.2) Patient 2's "History and Physical", dated 6/23/11, which included; Date of admission, medical record number, account number, Patient 2's name, history of present illness, physical examination, assessment and plan.3) Patient 2's "Operative Report", dated 6/23/11, which included; Patient 2's name, medical record number, account number, date of operation, pre and postoperative diagnosis, procedure performed and the description of the procedure.4) Patient 2's "Discharge Summary", dated 6/23/11, which included; Patient 2's name, medical record number, account number, admit date, discharge date, history and physical, discharge diagnoses, hospital course, diagnostic procedures, discharge instructions, and medications.5) Patient 2's lab results, CT scan (Computerized Tomography) results and ultrasound pictures.A review of the hospital's policy and procedure, entitled "Health Information, Access, Use and Disclosure", dated 9/13, indicated "IV. Procedures A. Guiding Principles for Release of information, Wherever or whoever is releasing information must follow seven guiding principles for release by checking the following: 1. Correct Patient, 2. Correct MRN (medical record number), ...6. Correct Fax or Address for the Recipient 7. correct Recipient (person is authorized to receive)."The ICR's failure to follow the policy and procedure with regards to the double-checking of the identifying patient information resulted in the inadvertent and unauthorized release of Patient 2's protected health record information. This was also in violation of Patient 2's right to confidentiality of all communications and record pertaining to health care received at the hospital.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights