Good Samaritan Hospital

Report ID: Z8W311, California Department of Public Health

Reported Entity: GOOD SAMARITAN HOSPITAL

Issue:

Based on interview and record review, the hospital failed to prevent disclosure of one patient's (Patient 1) protected health information (PHI) when a staff member accessed Patient 1's electronic record without a legitimate business or clinical need to do so. The disclosure had the potential to expose Patient 1's health information to unauthorized persons. Findings:On 12/5/13 the California Department of Public Health received a faxed report from the privacy official (PO) which indicated the hospital identified disclosure of one patient's PHI.During an interview on 6/23/14 at 10:50 a.m., the PO stated Patient 1 had been a high profile patient so an audit report was conducted to identify if Patient 1's electronic medical record had been accessed by anyone who did not have clinical or business reason to do so.Record review on 6/23/14 at 10:50 a.m. of a "Patient Care Inquiry" report dated 12/4/13 at 9:47 a.m.; indicated Staff A had accessed Patient 1's electronic medical record on 11/20/13 at 6:31 p.m. The report consisted of a list of dates and times Patient 1's electronic record had been accessed but did not include the specific information viewed by Staff A.On 6/23/14 at 10:55 a.m., the PO stated an investigation was initiated to determine if Staff A had any business or clinical reason to access Patient 1's information. The PO stated at the time of the access Staff A was working at another campus location and was not working on main hospital tasks from the satellite location. The PO stated Staff A had no reason to access Patient 1's information.The PO further stated Staff A denied accessing Patient 1's information so the "Patient Care Inquiry" audit report was reconducted. The result of the second report indicated Staff A had accessed Patient 1's information.The PO stated the information accessed included Patient 1's date of birth, medical record number, social security number, insurance information, and address.Record review on 6/24/14 at 11:00 a.m. indicated Staff A had completed Code of Conduct Refresher training on 9/12/13.The PO stated the determination was made to terminate Staff A's employment based on Staff A's access to patient information as part of her job as medical records clerk. The hospital informed Patient 1's next of kin of the disclosure by letter on 12/5/13.Record review on 6/24/14 at 11:15 a.m. of the disclosure letter sent to Patient 1's next of kin indicated: "... I am writing to inform you of a recent disclosure of your [family member's] protected health information to one unauthorized employee... An investigation has been conducted by the Facility Privacy Official, VP of Human Resources, Director of Labor Relations and the employee's Director and it has been noted that her personal information including the visit history at the hospital and patient care (nursing) notes were accessed without having the appropriate authority. Within the visit history, your [family member's] social security number is listed..."Despite multiple attempts, Staff A was unable to be reached for interview regarding this incident. Telephone messages were left on 6/24/14, 6/25/14 and 6/26/14, with no return telephone call.Record review on 6/24/14 at 11:30 a.m., of the hospital policy "Sanction for Privacy and Information Security Violations" dated 3/1/10 described an example of a purposeful violation of the hospital policy: Accessing or using PHI (protected health information) without a legitimate need to do so."

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280