ARROWHEAD REGIONAL MEDICAL CENTER

Report ID: AU1411, California Department of Public Health

Reported Entity: ARROWHEAD REGIONAL MEDICAL CENTER

Issue:

Based upon interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patient A (an Emergency Room registered nurse), when Employee 1 (an Emergency Room technician) accessed Patient A's PHI without the appropriate authorization. This placed Patient A at risk for misuse of her personal information.Findings:On March 20, 2015 at 3:00 PM, a phone interview was conducted with Patient A regarding a complaint of a breach of her PHI by Employee 1 (a co-worker and her husband).During the interview, Patient A described the event as follows: "On or about June 09, 2014, I was working in the Emergency Room (ER), as a Registered Nurse (RN), and I got a headache so bad that I checked into the ER. I was going through a divorce at the time and a female co-worker (Employee 2), who was working in the ER, saw my husband (Employee 1) looking at my medical record on the computer, so she asked him to go get something for her, so she could verify what he was looking at. When he left the computer, he left my medical record on the screen, so any one looking at the screen could see my information."Patient A stated, "About a week after my admission to the ER, I talked to the Facility Privacy Officer (FPO) about it. Employee 2 reported the violation to the Charge Nurse/ Assistant Nurse Manager. After the hospital investigated the incident, I received a letter from the FPO, in July 2014. The hospital let [name of her husband] resign." She stated, "My co-workers made it difficult for me to work. They blamed me for him leaving the ER. Things got so bad for me in the ER that I resigned." On March 24, 2015 at 9:09 AM, a phone interview was conducted with the FPO regarding a breach of PHI for Patient A.The FPO said, "On June 26, 2014, it was detected that an employee [Employee 1] accessed and viewed electronic medical records of a patient [Patient A] inappropriately on June 10, 2014." A subsequent audit of the electronic record for Patient A dated June 27, 2014, reflected Employee 1 had logged in under his user identification on June 10, 2015 at 7:56 AM, and viewed the ER visit of Patient A. The information viewed included: Patient A's name, medical record number, date of birth, diagnosis and other demographic and visit information. During a review of the letters sent by the facility to the California Department of Public Health (CDPH) and to Patient A, dated July 3, 2014, the letters indicated that Patient A's electronic medical record had been viewed without authorization, however, there was no indication that the information accessed had been removed from the facility.A review of the facility's Incident Investigative Summary dated July 24, 2014, by the FPO indicated Patient A had been notified by the ER Manager that the investigation was conducted. On June 26, 2014, the FPO stated, "the case was referred to Human Resources for disciplinary action in accordance with hospital [name of hospital] policy, and subsequently, Employee 1 [used name] resigned in lieu of termination on July 31, 2014. " On May 28, 2015 at 10:05 AM, a phone interview with the FPO was conducted. The FPO stated, " I interviewed Employee 1 [used name] on July 15th, and the investigation was on-going. He was not suspended during the investigation because it was not seen as an immediate problem and Human Resources (HR) was involved too. We were waiting for disciplinary action, and he chose to resign. He [Employee 1] was accessing information that he did not need to do his work, his job, or take care of business. He was using his access to confidential information for his own personal gain. We were waiting for disciplinary action when he chose to resign."A review of Employee 1's personnel file on March 24, 2015, revealed that on January 06, 2008, Employee 1 received Confidentiality and HIPAA Training (Health Insurance Portability and Accountability Act of 1996 established rules protecting the privacy and security of personal health data. Failure to comply with HIPAA requirements can result in civil and criminal penalties). The file also indicated that he completed the training for HIPAA and Information Security Awareness on May, 20, 2014.A review of the facility's Policy and Procedure titled, "Uses and Disclosures of Protected Health Information," dated April 03, 2013, indicated that it was, "the policy of the hospital [name of hospital], that an individual's identifiable protected health information (PHI) may only be used within the Medical center or disclosed to entities outside the medical center after notification to and/or with the expressed permission of the patient, except in cases of emergency or where specifically permitted or required by law." The same policy stipulated under ,"Disciplinary Action," the ,"Unauthorized access or unauthorized use or disclosure of PHI in any form may subject responsible employee...to disciplinary action up to and including termination of employment..."A review of the facility's Policy and Procedure titled Security Incident Procedures and Sanctions," dated April 03, 2013, indicated that the action for a Level 3 (personal gain or malicious harm) violation was dismissal or termination of contract. Employee 1 was allowed to resign on July 31, 2014.This failure of the facility protect Patient A's PHI when it was accessed by Employee 1 without authorization, placed Patient A at risk for misuse of her personal information.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights