COMMUNITY HOSPITAL OF SAN BERNARDINO

Report ID: HQO511, California Department of Public Health

Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO

Issue:

Findings:Based on interview and record review, the facility failed to ensure the confidential treatment of Patient A's proctected health information (PHI) when Employee 1, an admitting representative, faxed a twenty-four hour notice to the [name of facility], [name of county] instead of the [name of facility], [name of county]. This resulted in the unauthorized release of Patient A's PHI to an unintended recipient.During an interview with the Facility Privacy Officer (FPO) on December 19, 2014 at 1:55 PM, when asked how the incident occurred the FPO stated the fax, which was a twenty-four hour notice, was sent to [name of county] instead of [name of county] by Employee 1. During an interview with the Admitting Director on March 30, 2015 at 8:37 AM, when asked about [name of county] shredding the faxed document, she stated, "I asked them to shred the document because I did not know their Health Insurance Portability and Accountability Act (HIPAA) practices." When asked what Employee 1 reported regarding the incident, she stated Employee 1 self reported [the breach] and said she faxed to the county of residence not the county where Patient A's [government health insurance] is assigned.During an interview with the Admitting Representative (Employee 1), on April 20, 2015 at 8:20 am, when asked about the process of faxing 24 hour notices, she stated she initially obtained the demographic information from the patient regarding their county of residence. She stated, "The patient was homeless and when I asked the city and county - the patient stated [name of city and county]. . . when I ran his insurance eligibility . . .his eligibility code showed he had insurance through [name of different county]. I did fax the 24 hour notice on time to [name of intended county] but because I had already faxed the eligibility document to [name of different county], I contacted my manager. . . I did fax the document to [name of intended county] as well." A review of the facility's documents from their investigation, dated November 7, 2014 indicated Patient A was homeless in [name of county] and notified of the breach by letter while an inpatient at the facility.A review of the breached document, titled [name of county] Mental Health Point of Authorization indicated Patient A's name, social security number, [government health insurance] number, date of birth, gender, education level, marital status, ethnicity, reason for admission, admitting diagnosis, present condition and substance abuse history were disclosed in the fax transmission. Patient address information listed [name of county] for Patient A which is not the same as [name of different county] for the 24 hour notice form.A review of the facility policy and procedure, titled, "Safeguarding PHI and Sensitive Information", dated January 17, 2012 indicated in paragraph F (2), "The sender should confirm that the fax number is approved for receipt of Sensitive Information." (4) "When manually entering a fax numbern, visually verify the correct fax number is being entered before sending."A review of the facility policy and procedure titled, Protected Health Information (PHI), Transfer of, dated August 2012, indicated in 1.1.2, "Employees will take reasonable steps to ensure that a fax transmission is sent to and received by the intended recipient."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights