SAINT AGNES MEDICAL CENTER

Report ID: Y75311, California Department of Public Health

Reported Entity: SAINT AGNES MEDICAL CENTER

Issue:

Based on staff interview, clinical record and administrative document review the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's laboratory report was mistakenly faxed to a private home.2. Patient 2's medical record was mistakenly faxed to a private business.This failure placed Patient 1 and Patient 2's PHI at potential risk for unauthorized use.Refer to CA003000871. On 4/5/12 at 1:50 p.m., Staff 1 (Privacy Officer) stated on 2/16/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed on 2/8/12 Staff 2 (Laboratory Clerk) mistakenly faxed Patient 1's laboratory report to a private citizen's home. Staff 1 stated it was Staff 2's responsibility to ensure all faxed transmissions were sent to the correct destination.Patient 1's lab report contained the following PHI: Patient name, date of birth, phone number, date of service, medical record number, account number, attending physician and laboratory results.The facility policy and procedure titled " Privacy and Confidentiality Policy," dated 9/17/09 contained the following: ...all modes and methods of communication include but not limited to verbal, electronic, manual, automated, computer, facsimile, telephone, voice mail, electronic mail and any and all other forms of communication. The sender of the information must ensure that only the intended recipient(s) will have access to the information. Particular care must be taken when sending confidential information electronically, such as computer, fax machine, electronic mail, or voice mail. ...Confidential information sent via facsimile requires special precautions. The sending party should always verify the correct fax number before sending a fax. It may be necessary to ensure that a particular individual is available to receive a fax transmission to ensure confidentiality." Refer to CA003027732. On 4/5/12 at 1:50 p.m., Staff 1 stated on 3/8/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Patient 2's medical record was mistakenly faxed to a private business. Staff 1 stated it was the staff's responsibility to ensure all faxed transmissions were sent to the correct destination.Patient 2's medical record contained the following PHI: Patient name, date of birth, address, phone number, date of service, medical record number, account number, diagnosis, treatment and medication prescribed.The facility policy and procedure titled " Privacy and Confidentiality Policy" dated 9/17/09, indicated "...all modes and methods of communication include but not limited to verbal, electronic, manual, automated, computer, facsimile, telephone, voice mail, electronic mail and any and all other forms of communication. The sender of the information must ensure that only the intended recipient(s) will have access to the information. Particular care must be taken when sending confidential information electronically, such as computer, fax machine, electronic mail, or voice mail. ...Confidential information sent via facsimile requires special precautions. The sending party should always verify the correct fax number before sending a fax. It may be necessary to ensure that a particular individual is available to receive a fax transmission to ensure confidentiality."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights