Ukiah Valley Medical Center

Report ID: 32U511, California Department of Public Health

Reported Entity: UKIAH VALLEY MEDICAL CENTER/HOSPITAL D

Issue:

Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of one patient's (Patient 1) medical information, when staff of the facility clinic inadvertently called a business, other than Patient 1's employer, to verify appointment authorization. This failure allowed the unlawful or unauthorized access to patient 1's medical information. Findings:The California Department of Public Health was notified on 10/16/12 that a, "Breach of Protected Health Information (PHI)," occurred on 10/11/12.During an interview on 10/19/12 at 10 a.m., Administrative Staff A stated that she received notification, on 10/11/12, indicating that Unlicensed Staff B, working in the facility clinic, called a business other than Patient 1's employer, to verify authorization for a scheduled hiring physical.Administrative Staff A further stated that it was human error, on the part of Unlicensed Staff B, as the names of the two businesses were similar. Administrative Staff A also stated that Patient 1 was notified by mail, on 10/15/12, that there had been a breach of PHI (Patient 1's name, date/time/location of the appointment) to the business. Review of the letter sent to Patient 1 (dated 10/15/12), advising him of the PHI breach, confirmed there had been a breach of PHI. A review of the facility Policy and Procedure for, "Use and Disclosure of protected Health Information" (12/12/05), indicated the following:"AFFECTED DEPARTMENTS/SERVICES: 1. All Corporate Office Departments 2. System-Wide Facilities...POLICY: COMPLIANCE-KEY ELEMENTS....Under the Privacy Rule, [Facility Corporation Name] entities are permitted to use or disclose PHI when: 1. The disclosure is to the individual to whom the PHI pertains."

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280