EISENHOWER MEDICAL CENTER

Report ID: 256T11.01, California Department of Public Health

Reported Entity: EISENHOWER MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to ensure all patient protected health information (PHI) was kept protected, which resulted in the unauthorized access of the patient's confidential information (Patient 6). Patient 6's confidential information was facsimiled to a Private Business rather than a physician's office on July 10, 2014. This resulted in the unauthorized disclosure of Patient 6's protected health information (PHI).Findings:On July 21, 2014, at 1:38 p.m., an interview was conducted with the Deputy Information Privacy Officer (DIPO). She stated: a. On July 10, 2014, the Manager of the Primary Care Clinic facsimiled Patient 6's PHI. b. On July 16, 2014, she contacted a Private Business in regards to another issue and was informed they were in receipt of Patient 6's PHI which had been received on July 10, 2014, via facsimile.c. The Manager of the Primary Care Clinic was unaware Patient 6's PHI had been facsimiled to the incorrect destination, and upon investigation the facsimile numbers for the Private Business and the physician's office were different by only one number.d. The Manager of the Primary Care Clinic had not followed the facility policy and procedure for verifying the facsimile number prior to sending information and had not verified the physician's office had received the facsimile that was sent on July 10, 2014.e. The Private Business deleted the electronic facsimile which contained Patient 6's PHI on July 16, 2014.The Private Business received and had an opportunity to view Patient 6's PHI, which included name, date of birth, medical record number, authorization to release healthcare information, physician's name, complete history, medication list, local pharmacy used, social history, physician exam, and plan of care with diagnosis.Patient 6 was informed of the disclosure of her protected health information (PHI) via a letter dated and mailed on July 18, 2014, to her last known address.The California Department of Public Health (CDPH) was notified via a facsimile received on July 18, 2014, and a letter dated and mailed on July 18, 2014, of the unauthorized access of Patient 6's PHI.The facility policy and procedure titled "Faxing Protected Health Information" reviewed/revised March 21, 2013, revealed "... Sending Information ... Telephone the receiving facility to inform then that Protected Health Information is being faxed, confirm the fax number, and determine whether the fax machine is located in a secured area. ... Reconfirm the destination fax number prior to transmission by checking the telephone number displayed on the fax machine screen before transmitting it. Confirm success of the transmission by calling the intended recipient or by checking the fax transmittal report, if available. ..."The facility policy and procedure titled "Information Privacy" reviewed/revised December 19, 2011, revealed "... (facility name) will take all necessary steps to avoid unauthorized or unlawful access, use or disclosure of protected health information ... Whenever possible, the Information Privacy Officer will contact the individual or organization to whom the information was inappropriately or unlawfully accessed, used or released and requested that no further access, use or disclosure of the information is made and to return or destroy the information. The Information Privacy Officer will contact the Department of Public Health and report the breach within (5) five days of discovery. The Information Privacy Officer will contact the patient within (5) five days of discovery to inform him or her of the unauthorized access, use of disclosure and the plan or step's taken to mitigate it. ..."

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

1 other violation reported on the same date. Note that other citations may be about the same event: 3YOT11.01