ORANGE COUNTY GLOBAL MEDICAL CENTER

Report ID: 5MZ311, California Department of Public Health

Reported Entity: WESTERN MEDICAL CENTER SANTA ANA

Issue:

Based on interview and hospital document review, the hospital failed to prevent the unauthorized disclosure of protected health information (PHI) to unauthorized individuals for 14 patients (Patients A, B, C, D, E, F, G, H, I, J, K, L, M, and N).Findings:1. Review of hospital documentation showed a breach of PHI involving Patient A occurred on 10/25/11.On 10/24/11, Patient A was a patient in the Observation Unit. On 10/25/11, another patient who was also in the Observation Unit was given discharge documents with Patient A's PHI on them. Patient A's addressograph was used to stamp all of the discharge documents belonging to the other patient. Patient A's PHI was taken home with the discharged patient.Patient A's PHI disclosed included name, date of birth, account number and medical record number, physician name, and date of admission.2. Review of the hospital's investigation showed on 12/12/11, the Privacy Officer was made aware a breach of PHI had occurred involving Patient B.On 7/18/11, the hospital's ED admitted Patient B, a non-responsive patient who had no form of identification and was noted to be homeless by his appearance. At first, the patient had been classified as a "XXXXXXX" but later in the Observation Unit an admissions representative obtained a name and a date of birth from the patient. With this information, the admissions representative was able to get a social security number and address from the hospital's system. The information was used to bill Patient B for services rendered while in the hospital. However, the bill was returned as "return to sender, delivery attempted, not known, unable to forward." On 8/8/11, the hospital's system showed a more current address and the bill was sent to the address found. On 11/16/11, the billing service for the hospital received a dispute letter from a person who stated he was not Patient B. The person sent a copy of his driver's license, which had the same name and date of birth as Patient B. Patient B's PHI disclosed on the bill included dates of service, physician, medical record number, Account numbers and date of birth. On 1/15/13 at 1100 hours, during a telephone interview with the hospital's Privacy Officer the above breach investigation was verified. The Privacy Officer stated the person sent the billing letter was not, Patient B. This was verified through investigation, as the picture on the person's driver's license was shown to the staff that had contact with Patient B.3. On 2/3/12, the Privacy Officer was made aware a breach of PHI occurred involving Patient C. Review of the hospital's investigation showed on 1/4/12, a Registration Representative obtained the identification information of Patient C, who was seen in the ED (Emergency Department). When attempting to register the patient, the staff entered the patient's name and address into the hospital's computer system. However, the staff failed to verify all of the information in the computer system and chose another patient with the same name but different middle name.The hospital sent the bill for services rendered by Patient C to the other patient chosen in the system. Patient C's PHI disclosed included name, account number, admission date, and account balance.4. Review of hospital documents showed on 1/6/12, a breach of PHI involving Patient D occurred.On 1/6/12, a clerical staff from case management faxed documents requested from a home health agency. After printing the requested documents, the clerical staff did not verify the documents removed from the printer before faxing them. The hospital was notified three pages of billing for Patient D were included in the fax to the home health agency. Patient D's PHI disclosed included name, date of birth, date of admission, and number of days in hospital.5. On 1/27/12, the Department was notified a breach of PHI involving Patient E occurred. On 1/24/12, a staff member in the Out Patient Department discovered the addressograph of Patient E was used to stamp another patient's paperwork.The PHI belonging to Patient E and disclosed to another patient included name, date of birth, account number, medical record number, physician's name, date of service and home medication documented on the discharge Medication Reconciliation form.6. On 2/9/12, the Department was notified a breach involving Patient F occurred.A family member of Patient F made the care decisions and signed consents for the patient. The family member was an employee at the hospital's sister facility.On 2/7/12, the Privacy Officer was notified that on 1/28/12, the family member of Patient F obtained the PHI of the patient in an inappropriate manner.Review of hospital documentation showed, on 1/28/12, Patient F's family member called the microbiology lab to obtain the lab results. The family member posed as an employee in the patient's nursing unit and gave the patient's name and location. The lab results were given to the patient's family member.7. On 3/1/12, the Privacy Officer was notified a breach of Patient G's PHI occurred on 2/23/12.Review of the hospital's investigation showed on 2/23/12, Patient G was seen in the ED. A staff member registered the patient to the wrong medical insurance group for billing and faxed the patient's PHI to the incorrect insurance company.Patient G's PHI on the face sheet and clinical review data included full name, address, date of birth, social security number, account and medical record numbers, physician name, admitting diagnosis, date of admission, insurance information, laboratory results, medication, and case management notes. 8. Review of hospital documents showed a breach of Patient H's PHI occurred on 3/16/12.On 3/19/12, the Privacy Officer was notified of the breach involving Patient H. Review of the hospital's investigation showed on 3/16/12, a staff member released another patient's chart into the hospital's Horizon Patient Folder computer system and sent it to the San Bernardino field office for billing. The hospital was later notified that a form belonging to Patient H had been found in the other patient's chart. The form belonging to Patient H disclosed PHI including name, date of birth, account and medical record numbers, physician name, date of admission and various discharge criteria.9. Review of the hospital's investigation, dated 4/11/12, showed a breach involving Patients I, J, K and L occurred on 4/4/12.A staff member was called to a deposition by a law group and was requested to bring copies of documents pertaining to the certain patient. An attorney noted the documents also included the PHI of Patients I, J, K and L. Risk Management was not asked to review the documents copied and the documents were not redacted to remove the other patients' PHI.The PHI disclosed included names, account and medical record numbers, ages, room assignments and test screenings.10. On 4/20/12, the Department was notified a breach of Patient M's PHI occurred on 4/15/12.On 4/15/12, a hospital staff, who was also Patient M's family friend, inappropriately accessed Patient M's medical record for information the family. The staff member was not a part of Patient M's care team and had no written documentation from the patient to access the records.11. On 4/25/12, the Department was notified a breach of Patient N's PHI occurred on 4/18/12.Patient N's valuables were stored in the hospital's safe. On 4/18/12, Patient N requested his valuables returned to him. At the same time another patient was discharged retrieved his valuables from the hospital safe. The staff responsible for returning the valuables to the two patients inadvertently gave Patient N's valuables to the other patient.The PHI disclosed in Patient N's valuables included name and credit card account number.On 1/22/13, communication with the Risk Manager, Hospital Compliance Officer confirmed the breaches of PHI occurred as documented.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280