CLOVIS COMMUNITY MEDICAL CENTER

Report ID: WWHN11, California Department of Public Health

Reported Entity: CLOVIS COMMUNITY MEDICAL CENTER

Issue:

Based on staff interview and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's PHI was found in a patient room by an unauthorized individual. (refer to CA00355128)2. Patient 2's PHI was given to an unauthorized individual. (refer to CA00356717)3. Patient 3's PHI was mailed to an unauthorized recipient. (refer to CA00356164)These failures resulted in not protecting the PHI for Patient's 1, 2 and 3 and had the potential for unauthorized use. Findings: Refer to CA003551281. On 6/11/13 at 2:00 p.m., during an interview, the Privacy Officer (PO) stated on 5/10/13 Patient 1's PHI was found laying in a patient room on a Crib Card dated 5/9/13 by an unauthorized individual.Review of the medical record indicated the following information was on the Crib Card: Patient name, date of birth, gender, parent's names, account number, medical record number and date of service. On 5/17/13 a certified letter was mailed to the patient's parents notifying them of the breach.The (Hospital) Policy and Procedure titled, HIPAA (Health Insurance Portability and Accountability Act) General Rules for the Use and Disclosure of PHI dated 4/18/12, III. Guidelines: A. Protected Health Information and Records indicated; 1."Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form. B. (Hospital) Privacy Policies and Procedures 2. It is the responsibility of all (Hospital) workforce members to comply with policies and procedures ... identify ... security breaches." Refer to CA003567172. On 6/11/13 at 1:52 p.m., during an interview, the Privacy Officer (PO) stated on 5/24/13 Patient 2's PHI was breached when patient labels intended for Patient 2 were given to an unauthorized recipient. Review of the medical record indicated the patient labels included: Patient 2's name, medical record number, account number and date of service. On 5/30/13 a certified letter was sent to Patient 2's parents regarding the breach. The (Hospital) Policy and Procedure titled, HIPAA General Rules for the Use and Disclosure of PHI dated 4/18/12, III. Guidelines: A. Protected Health Information and Records indicated; 1."Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form. B. (Hospital) Privacy Policies and Procedures 2. It is the responsibility of all (Hospital) workforce members to comply with policies and procedures ... identify ... security breaches."Refer to CA003561643. On 6/11/13 at 1:45 p.m., during an interview, the Privacy Officer (PO) stated Patient 3's PHI was mailed to an unauthorized recipient.Review of the medical records indicated; Patient 3's PHI was mailed on 4/23/13 to the unauthorized individual in a billing statement. PHI included: patient name and account number from a hospitalization on 3/21/13. On 5/28/13 a certified letter was sent to Patient 3 notifying her of the breach.The (Hospital) Policy and Procedure titled, HIPAA General Rules for the Use and Disclosure of PHI dated 4/18/12, III. Guidelines: A. Protected Health Information and Records indicated; 1."Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form. I. Accurate Information 1. It is the responsibility of all individuals who collect information from patients ... medical record ... to be as accurate and complete as possible."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights