ORANGE COUNTY GLOBAL MEDICAL CENTER

Report ID: RE8511, California Department of Public Health

Reported Entity: WESTERN MEDICAL CENTER SANTA ANA

Issue:

Based on interview and hospital document review, the hospital failed to prevent the disclosure of 26 patients' Protected Health Information (PHI) to unauthorized individuals (Patients A, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, Ra, Rb, Rc, Rd, Re, S, T, U, Va, Vb and W).Findings:1. Review of the hospital's documents showed, on 1/8/13, the Hospital Compliance Officer was made aware a breach of Patient A's PHI occurred.On 1/8/13, the hospital's Chief Executive Officer (CEO) found papers on the ground in the Doctor's parking lot with PHI belonging to Patient A. The CEO gave the papers and the location where they were found to the Medical Records staff. Investigation showed Patient A's anesthesia record, face sheet, and copies of both the Medi-Cal and Medicare identification cards accidentally fell out of the Anesthesiologist's pocket as he was getting into his car the night before.Patient A's disclosed PHI included name, address, phone number, date of birth (DOB), age, gender and medical record number (MR #), account number, health plan number, and Medi-Cal number, Medicare number, diagnosis, date of treatment, procedure type, medications given and heart rate, breathing rate and physicians names.2. On 3/11/13, the Hospital Compliance Officer was made aware a breach of Patient D's PHI occurred.On 3/6/13, an Emergency Department (ED) staff faxed Patient D's face sheet to his physician's group. However, on 3/7/13, the physician's group, who received the face sheet contacted the hospital's ED to inform them Patient D did not belong to that group. The hospital investigation showed the ED staff selected the correct fax number; however, the number was programmed incorrectly into the system.Patient D's disclosed PHI included name, address, phone number, MR#, account #, date of birth (DOB), social security number (SS#), physician name and date of service, chief complaint and emergency contact information.3. On 3/5/13, a community attorney's office contacted the Hospital Compliance Officer regarding the receipt of Patient E's medical record in error.The hospital's investigation showed a staff registered nurse (RN) contacted a skilled nursing facility (SNF) for their fax number in order to fax Patient E's medical information. The fax number was given by a staff at the SNF and verified by the hospital's RN. The patient's face sheet, history and physical (H&P), Progress Notes, physician's Orders, Occupational and Physical Therapy Notes, the activity of daily living flow sheets and laboratory data were faxed to the number provided. The next day the attorney's office informed the hospital of the error. The hospital disclosed the SNF staff had accidentally transposed the last 4 digits of the fax number and provided the hospital RN with the incorrect fax number.Patient E's disclosed PHI included name, address, age, DOB and phone number, SS#, physician name, insurance providers and diagnoses, head to toe assessment and progress, physician's orders, medications and physical capability with progress and needs and laboratory data with results.4. Review of hospital documents showed on 3/7/12, the Hospital Compliance Officer was made aware Patient F's PHI was breached.Review of the hospital's investigation showed Patient F's folder personalized with the addressograph stamp and patient's copy of the Belongings Inventory form was found by another patient in their personal bag while searching for her cell phone. The hospital's investigation was unable to determine how Patient F's personal papers got into the personal bag of another patient.Patient F's disclosed PHI included name, DOB, MR#, account number, physician name and date of service.5. On 3/28/13, the Hospital Compliance Officer was made aware a breach of Patient G's PHI occurred.Review of the hospital's investigation showed, on 3/19/13, an admitting representative staff accidentally faxed Patient G's face sheet to an insurance company with a very similar name as the intended insurance company. Patient G's disclosed PHI included name, DOB, address, phone number, SS#, MR#, account number, health plan number, date of treatment, physician name and medical procedure.6. Review of the hospital's investigation showed the Hospital Compliance Officer was made aware a breach of Patient H's PHI occurred on 4/16/13. On 4/16/13, a mother in the postpartum unit called the Neonatal Intensive Care Unit (NICU) to check on her baby's status. The RN asked for the numbers on the mother's identification bracelet to match with the baby. The RN informed the mother the baby had positive signs; however, when the mother visited the NICU she found she was given the information for Patient H and not that of her baby.Patient H's disclosed PHI included name and progress of nippling and feeding.7. On 5/23/13, the Hospital Compliance Officer was made aware a breach of Patient I's PHI occurred.Review of the hospital's investigation showed on 5/17/13 compact discs (CD's) of radiological films with results were made for two patients on the 4th floor; however, the CDs were put into one envelope and given to another patient's responsible party. Later, this was brought to the hospital's attention by the other patient's responsible party.Patient I's disclosed PHI included name, MR#, procedure title and images from 4/30/13 to 5/14/13.8. On 6/3/13, the Hospital Compliance Officer was made aware by the Radiology Department a breach of Patient J's PHI occurred. A community business called the Radiology Department after receiving a fax of radiological reports belonging to Patient J on 6/3/13. The community business stated it has had the same fax number for over a year. The Radiology Department used the hospital's auto fax system to send Patient J's radiological reports to the ordering physician. The hospital's investigation showed the physician's fax number was not updated in the system.Patient J's disclosed PHI included name, DOB, age sex, MR#, account number, order date, time and results of the tests, date of admission, physician's name, exam date, time, identification, the exam performed, exam findings, name of Radiologist and the date and time the report was verified.9. Review of hospital documents showed a breach of Patient K's PHI occurred on 6/23/13. Patient K's identification label and some documentation was placed on another patient's discharge instructions and given to that patient upon discharge.Patient K's disclosed PHI included name, DOB, age, gender, MR#, account number, date of service, and physician name. In addition, a physician's statement showing the level of care received, fees, medication prescription and discharge instructions related to the diagnosis was included.10. Review of hospital documentation showed, on 7/8/13, a Central Billing Office (CBO- a private pay collector) found that a "new patient" (Patient L) had additional accounts which were private pay and Kaiser insurance. However, the Kaiser insurance patient information did not match that of Patient L. Review of the hospital investigation showed an Admitting representative ran Patient L through Kaiser by name and DOB, which matched Patient L; however, the staff did not note the SS# and address did not match. The Admitting representative failed to verify all of Patient L's information during the admission process and caused the incorrect insurance company to be billed in error. Patient L's disclosed PHI included name, DOB, address and account number.11. On 7/12/13, the CBO Privacy Officer was made aware a breach of Patient M's PHI occurred.Review of hospital documents showed on 7/11/13, a patient was transferred back to their previous SNF. In that patient's transfer documents, Patient M's Combined Home Medications and Inpatient Medication Reconciliation Order Forms were included.Patient M's disclosed PHI included name, DOB, MR#, account number, date of service and diagnosis.12. On 7/23/13, the Hospital Compliance Officer was made aware a breach of Patient N's PHI occurred. Review of hospital documents showed on 7/21/13, another patient in the ED was given a discharge instruction form containing some of Patient N's information.Patient N's disclosed PHI included name and descriptive information of what was done for the patient's reason for the visit.13. On 8/9/13, the CBO Privacy Officer was made aware a breach of Patient O's PHI occurred.Review of hospital documents showed on 8/9/13, the person who received Patient O's PHI in error alerted the hospital. The hospital's investigation showed, on 7/31/13, a CBO staff failed to perform quality control for outgoing mail by not validating Patient O's demographics before sending out the letter.Patient O's disclosed PHI included name, visit identification number, facility name, service dates and total charges.14. On 8/15/13, the CBO Privacy Officer was made aware a breach of Patient P's PHI occurred.Review of hospital documents showed on 8/15/13, the person who received Patient P's PHI in error alerted the hospital. The hospital's investigation showed, on 7/16/13, a CBO staff failed to comply with implemented procedures before updating Patient O's demographics, updating the account and before sending the letter out.Patient P's disclosed PHI included name, visit identification number, facility name, service dates and total charges.15. On 9/11/13, the Hospital Compliance Officer was made aware a breach of Patient Q's PHI occurred.Review of hospital documents showed on 9/11/13, a medical records processor in the ED discovered a Combined Home Medication and Inpatient Medication Reconciliation Order Form with Patient Q's information were given to another patient upon their discharge. Patient Q's disclosed PHI included name, DOB, allergies, MR#, account number and treatment date.16. Review of hospital documents showed on 9/17/13, a SNF requested copies of the discharge summary forms belonging to Patients' Ra, Rb, Rc, Rd and Re. A medical records staff looked up the fax number for the SNF and documented it on a post-it. However, in documenting the fax number, the staff accidentally copied it incorrectly. The copies of the patients' discharge summary forms were faxed to the wrong entity in error.Patients Ra, Rb, Rc, Rd and Re's disclosed PHI included name, DOB, MR#, account number and date of admission, date of discharge, admit and final diagnosis, hospital course and condition at discharge, along with discharge instructions and dictating physician.17. On 9/30/13, the Hospital Compliance Officer was made aware a breach of Patient S's PHI occurred.Review of hospital documents showed on 9/24/13, a patient in the ED was given a prescription upon discharge with PHI belonging to Patient S. Two RN's signed off that all discharge papers belonged to the patient to which they were given. Neither noticed the prescription had PHI belonging to Patient S.Patient S's disclosed PHI included name and DOB.18. On 10/8/13, the Hospital Compliance Officer was made aware a breach of Patient T occurred.Review of hospital documents showed on 9/29/13, an RN called the Case Manager (CM) to discuss Patient T's discharge plans. The CM gave the RN the fax number to send Patient T's information for a potential transfer. However, in verbalizing the fax number to the RN, the CM mistakenly gave the RN the incorrect fax number. The RN unintentionally sent the patient's face sheet, physician's orders, H&P and laboratory results to an unintended recipient.Patient T's disclosed PHI included name, DOB, age, height and weight, room number, contact information, address, diagnoses, physician name, health plan verification number, service date, plan type and contact information for plan. In addition, laboratory tests and results were disclosed.19. On 11/6/13, the CBO Privacy Officer was made aware a breach of Patient U's PHI occurred.Review of hospital documents showed on 11/6/13, during an account follow up activity, staff discovered an appeal packet belonging to Patient U was sent to the wrong insurance payor in error.Patient U's disclosed PHI included name, DOB, account number, service dates, billing detail charges, procedure codes and descriptions of procedures.20. On 11/16/13, the Hospital Compliance Officer was made aware a breach of Patient Va and Vb's PHI occurred. Review of the hospital investigation showed on 11/16/13, the RN House Supervisor attempted to call the CM regarding two admissions to the hospital.As the CM did not answer the call, the RN House Supervisor left a message regarding the two admissions. The message included information regarding Patient's Va and Vb. After the message was left, the RN House Supervisor received a call from the number she had dialed and was informed she had left the message on a private number. Investigation showed the four and fifth digits of the intended phone number were dialed incorrectly and were not that of the CM.Patient Va and Vb's disclosed PHI included names and admitting diagnoses.21. Review of hospital documents show, on 11/19/13, a medical records staff attempted to fax a physician an operative report belonging to Patient W, dated 11/11/13.After faxing the report, the medical records staff was called by a community business and informed Patient W's operative report, dated 11/11/13, was received by them. Investigation showed the fifth digit of the physician's fax number was dialed incorrectly.Patient W's disclosed PHI included name, DOB, MR#, account # and physician name, date of service, pre and post-operative diagnosis, title of procedure and description of procedure.A conference call with the Hospital Compliance Officer, on 12/24/13 at 1100 hours, and with the CBO Privacy Officer, on 12/30/13 at 1430 hours, confirmed the breaches of PHI occurred as documented.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280