COMMUNITY REGIONAL MEDICAL CENTER

Report ID: NQ8X11, California Department of Public Health

Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER

Issue:

Based on staff interview and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Two billing statements with Patient 1's PHI were mailed to an unauthorized recipient.2. Patient 2's home medication bottles were given to the wrong patient.3. Two letters with Patient 3's PHI were mailed to an unauthorized recipient. 4. Patient 4's PHI was mailed to an unauthorized recipient.These failures resulted in not protecting the PHI for the Patients and possible unauthorized use. Findings: Refer to CA00345231 1. On 11/13/13 at 10:40 a.m., during an interview, the Privacy officer (PO) stated two billing statements with Patient 1's PHI were mailed on 2/20/12 to an unauthorized recipient's home address .Review of the PHI indicated the following information was mailed in a letter to the unauthorized recipient: Patient 1's name, account number, date of service and amount due on bill.The Hospital Policy titled, "HIPAA (Health Insurance Portability and Accountability Act) General Rules for the Use and Disclosure of PHI", dated 4/18/12, indicated "... III. Guidelines, A. Protected Health Information and Records, 1. Protected health information includes any information...created...in which a patient is or may be reasonably identified...whether the information is oral, paper or electronic form..."Refer to CA003274912. On 11/13/13 at 10:45 a.m., during an interview, the Privacy officer (PO) stated Patient 2's home medications were given to the wrong patient upon discharge.A review of the medical record indicated the following information was on the bottles: Patient 2's name, address and name of medications.The Hospital Policy titled, "HIPAA (Health Insurance Portability and Accountability Act) General Rules for the Use and Disclosure of PHI", dated 4/18/12, indicated "... III. Guidelines, A. Protected Health Information and Records, 1. Protected health information includes any information...created...in which a patient is or may be reasonably identified...whether the information is oral, paper or electronic form..."Refer to CA003271543. On 10/31/13 at 4:00 p.m. during an interview, the Privacy officer (PO) stated two letters with Patient 3's PHI were mailed on 6/16/12 and 7/23/12 to an unauthorized recipient's home address.A review of the medical record indicated the following information was disclosed to an unauthorized recipient: Patient 3's name, related to a hospitalization on 6/7/12 and an appointment card for a clinic visit. The Hospital Policy titled, "HIPAA (Health Insurance Portability and Accountability Act) General Rules for the Use and Disclosure of PHI", dated 4/18/12, indicated "... III. Guidelines, A. Protected Health Information and Records, 1. Protected health information includes any information...created...in which a patient is or may be reasonably identified...whether the information is oral, paper or electronic form..."Refer to CA003271584. On 11/2/13 at 11:15 a.m., during an interview, the Privacy Officer (PO) stated a letter with Patient 4's PHI was mailed to the unauthorized recipient's home address on 9/1912. A review of the PHI indicated the following information was disclosed to an unauthorized recipient: Patient 4's name, account number, date of service and amount due on bill.The Hospital Policy titled, "HIPAA (Health Insurance Portability and Accountability Act) General Rules for the Use and Disclosure of PHI", dated 4/18/12, indicated "... III. Guidelines, A. Protected Health Information and Records, 1. Protected health information includes any information...created...in which a patient is or may be reasonably identified...whether the information is oral, paper or electronic form..."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights