STANFORD HOSPITAL

Report ID: G2G911, California Department of Public Health

Reported Entity: STANFORD HOSPITAL

Issue:

Based on observation, interview, and record review, the hospital failed to provide full consideration of privacy concerning the medical care program for patients. Vendor A (a person who sells medical equipment to the hospital for use by patients) was authorized to enter patient care areas and access health information. The hospital could not furnish documentation Vendor A read and signed a confidentiality addendum for maintaining the security of patient information, or was registered with the hospital's contracted service which screens vendors and trains them regarding privacy and confidentiality. Failure to follow policy for vendor documentation and training/screening could have the potential to increase the risk for a privacy breach for patients. Findings:During an observation of the post anesthesia recovery area (PACU) with the operating room manager (ORM) on 1/2/14 at 10:20 a.m. the PACU was a large room with mulitple patient beds. The PACU had an electronic posting screen visible to persons walking in the open part of the room. The posting screen showed patient initials, medical record numbers, and the name of the surgeon who would perform the surgery. During an interview at the same date and time, the ORM stated the screen was for tracking surgical cases for the day. The ORM stated Vendor A sold medical products to the hospital and was authorized to enter the PACU. The ORM stated he had seen Vendor A in the PACU area. The ORM stated in order to provide the correct item or to fit an item to an individual patient hospital vendors, were authorized to speak with patients and to access patient health information to an extent.During an interview on 1/10/14, the complaince officer (CO) stated vendors are required to sign pricing agreements with the hospital. She stated the pricing agreements included a confidentiality addendum which the vendor was required to read and sign. The CO stated a pricing agreement and confidentiality addendum signed by Vendor A could not be located. The CO stated hospital policy and procedure was to obtain and file a signed copy of the agreement for each vendor. On 1/15/14 review of two invoices (a document which includes the item(s) furnished and price) for medical equipment submitted to the hospital by Vendor A on 1/9/12 disclosed the patients' names, dates of birth, and medical record numbers.On 1/15/14 review of a copy of an undated confidentiality addendum to the hospital purchasing and bidding policy and procedure indicated vendors must agree not to use, access, or disclose protected health information except for the extent needed directly for patient care, treatment, or billing. The addendum further indicated the vendor must agree to adhere to all hospital policies and procedures regarding privacy and security of protected health information, including but not limited to the vendor confidentiality agreement. The agreement must be signed and acknowledged.During an interview on 1/27/14 at 11:34 a.m., the hospital contract specialist (CS) stated she was not sure if Vendor A had ever signed a pricing agreement and confidentiality addendum. The hospital was not able to provide documentation indicating Vendor A had signed a pricing agreement and a confidentiality addendum. The CS stated vendors must initially sign the confidentiality addendum before selling equipment to the hospital. The CS further stated current hospital policy required vendors to register with a vendor screening service (VSS) which provided confidentiality training. The CS stated Vendor A was not registered with VSS but continued to sell equipment to the hospital.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights