SUTTER COAST HOSPITAL

Report ID: 8N1G11, California Department of Public Health

Reported Entity: SUTTER COAST HOSPITAL

Issue:

Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of three patients' (Patient 1, Patient 2, and Patient 3) protected health information, when some of the patients' medical information was mailed to Alaska Physician E. This failure allowed the unlawful or unauthorized access of protected health information.Findings: The California Department of Public Health was notified on 9/23/13 that a, "Breach of Protected Health Information (PHI)", occurred between 8/15/13 and 9/6/13 .During an interview on 10/31/13 at 1:15 p.m., Administrative Staff A stated that, on 9/10/13, Management Staff C notified him that he had received a phone call, on 9/10/13, from Unlicensed Staff D at Alaska Physician E's office, indicating that Alaska Physician E had received three laboratory screening results, in the mail, that did not belong to Alaska Physician E.The laboratory screening results for Patient 1, Patient 2, and Patient 3 were supposed to have been mailed to Local Physician F and Local Physician G and contained patient's names, medical record number, date of birth, home address, families' names and laboratory test results.During an interview on 11/4/13 at 3 p.m., Administrative Staff A stated that the investigation did not begin and he was not sure his facility had committed the breach, until 9/16/13, after the documents were received in the mail from Alaska Physician E, because Administrative Staff A had to physically handle the documents to determine if they were on regular paper (indicating that Another Facility had made the error) or specially marked No Carbon Required paper (NCR paper) used by the facility laboratory.Administrative Staff A also stated that Unlicensed Staff B was responsible for the mailing error.A review of the facility Policy and Procedure for, "WORKFORCE CONFIDENTIALITY/PRIVACY", (11/2012), reveals the following: "POLICY It is the policy of [facility] and its Affiliates that all members of the [facility]/Affiliate Workforce safeguard and protect Confidential information and that members of the [facility]/Affiliate acknowledge their obligation to follow [facility]/ Affiliate information privacy and security policies by executing annually a Workforce Confidentiality Acknowledgement. It is also the policy of [facility]/Affiliates to take appropriate disciplinary action for any violation of [facility]/Affiliate information privacy and security policies." A review of the facility Policy and Procedure for, "OVERVIEW PRIVACY POLICIES UNDER HIPAA", (12/29/12), reveals the following: "I. POLICY: It is the policy of the [facility] to protect the privacy and security of patient information and to comply with applicable laws and regulations...III. GUIDELINES: ...B. Protected Health Information and Records: Protected Health Information (PHI) includes any information received, created or maintained by the [facility] in which the patient is or may reasonably be identified, regardless of whether the information is in oral, paper, or electronic form...C. [Facility] Privacy Policies and Procedures: The [facility] and its workforce members must comply with a number of state and federal laws and regulations. It is the responsibility of [facility] management to develop and distribute necessary privacy and security policies and procedures to guide the actions of its workforce...It is the responsibility of all [facility] workforce members to comply with the policies and procedures and to cooperate with [facility] management to identify and correct problems that may cause privacy or security breaches...G...7. Data Security Patients the right to expect that their information is collected, stored, and maintained in a reliable manner and that sufficient precautions are taken by [the facility] to prevent its misuse. It is the responsibility all [facility] workforce members to read the applicable security policies and comply with their provisions."

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280