CORONA REGIONAL MEDICAL CENTER

Report ID: KOJ011, California Department of Public Health

Reported Entity: CORONA REGIONAL MEDICAL CENTER

Issue:

Based on interview and document review, the facility failed for one patient (Patient A), to ensure that (PHI) Protected Health Information was not disclosed to any entity not authorized to receive the information. This failed practice resulted in unauthorized access to Patient A's demographic information and medical records.Findings:On January 20, 2012, an unannounced visit was made to the facility to investigate a breach of PHI.An interview was conducted with the Director of Health Information Management, January 20, 2012, at 10:45 a.m. The Director of Health Information Management stated the person faxing the information did not verify the correct number was dialed prior to sending the fax. As a result Patient A's information was sent to an unauthorized recipient. Instead of faxing Patient A's lab results to her physician's office, the lab results were sent to a private residence, not authorized to receive Patient A's medical records. The Director of Health Information Management stated on January 20, 2012, the facility clerk/employee dialed the wrong fax number. The clerk faxing the information enter an "8" instead of a "9" on the fax machine when dialing the number. This resulted in Patient A's lab results being sent to the wrong person. The clerk did not verify the correct fax number prior to sending the fax. In an interview with the Lab Director on January 20, 2012, at 11:15 a.m., the Lab Director stated the clerk should have verified the fax number was correct on the fax machine screen prior to sending. The Lab Director stated the policy and procedure needed to be updated to include procedures to prevent further breaches from occurring when faxing lab results outside of the hospital.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280