ST BERNARDINE MEDICAL CENTER

Report ID: FO7511, California Department of Public Health

Reported Entity: ST BERNARDINE MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to protect Patient A's medical information. This breach caused Patient A's protected health care information to be released. Findings: The facility self reported on 9/7/11 that on 8/23/11 an employee (Employee A) in the laboratory department was accompanied by a relative to 2 remote sites to do lab draws, for the purpose of observing Employee A in the work setting, without obtaining authorization from the supervisor. The report indicated that Employee A's relative viewed PHI (Protected health information) without authorization, involving PHI on 7 lab requisitions while observing completion of lab requisitions by Employee A at the nurses' station. The PHI contained in the lab requisitions included:a. Patients name.b. Date of birth.c. Physician name.d. Room number.e. Encounter number.f. Medical record number.g. Name of test(s) ordered.h. ICD-9 diagnosis code(s).i. Date of lab draw.j. Initials of phlebotomistk. Facility name. During an interview with the health information officer on 9/14/11, she confirmed that Employee A had violated the facility's policy of safeguarding the patients health information. Review of the facility's policy and procedure titled "Safeguarding PHI and Sensitive Information", effective date: 1/5/09 indicated, "It is the policy of ... to provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity. The ... facility shall implement reasonable and appropriate administrative, technical, and physical safeguards ..."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights