Good Samaritan Hospital

Report ID: MR1311.01, California Department of Public Health

Reported Entity: GOOD SAMARITAN HOSPITAL

Issue:

Based on interview and record review, the hospital failed to prevent the unauthorized disclosure of patient health information (PHI) for one of one sampled patient (1), when a hospital employee accessed Patient 1's electronic medical records without a job related purpose. The failure resulted in Patient 1's PHI being disclosed to an unauthorized individual. Findings:The California Department of Public Health received an online report on 7/1/13, which indicated a nurse had accessed Patient 1's medical records. The nurse was not treating Patient 1 nor had authorization on file to access Patient 1's records.During an interview on 7/18/14 at 10:45 a.m., the privacy official (PO) stated during a real-time computer audit, the computer flagged the access of Patient 1's record. After an internal investigation, the hospital identified a registered nurse (RN A) had accessed Patient 1's medical record. RN A had not cared for Patient 1, nor had a business related reason to access Patient 1's medical records. PO further stated RN A was Patient 1's family member and did have authorization to pick up X-rays for Patient 1, but not for any other access. The computer audit indicated RN A had accessed radiology and cardiology department reports, physician dictations, which included a history and physical, and consultation/procedure notes. During an interview on 7/18/14 at 11:20 a.m., RN A stated she had brought Patient 1 to the emergency room (ER) on 6/2/13. RN A stated Patient 1 was released from the ER, but required follow-up. RN A then stated during her next hospital shift she accessed Patient 1's history and physical notes since the doctors had thought Patient 1 had a heart condition when he was seen in the ER. RN A further stated she did not follow the hospital's policy when she accessed Patient 1's medical records.During an interview on 7/31/14 at 3 p.m., RN A stated she was authorized to make health care decisions for Patient 1 only if Patient 1 was incapacitated, i.e., comatose or brain dead and with a breathing tube. RN A further stated "it wouldn't really be applicable in this situation" (meaning accessing Patient 1's electronic medical records).During an interview on 8/5/14 at 2:40 p.m., PO stated she was not aware if RN A had verbal permission from Patient 1 to access his record. PO also stated RN A's director did not recall if there was mention of verbal permission from the patient. No notes during RN A's corrective action meetings indicated a verbal permission was given to RN A by Patient 1 to access his record.A review of a copy of a letter dated 7/1/13 from the hospital to Patient 1, indicated RN A had accessed Patient 1's protected health information. Information disclosed "included radiology, cardiology, and other physician's dictations were viewed." The letter further indicated there was an authorization on file for RN A to pick up Patient 1's X-ray films, but no authorization on file for RN A to access Patient 1's medical information.A review of a copy of the audit report indicated RN A accessed radiology reports, the cardiology reports summary, some health information management queries, and recent clinical areas of Patient 1's electronic records.A review of a copy of the hospital's 5/1/08 "Minimum Necessary" policy indicated only workforce members with a legitimate "need to know" may access patient information. Each workforce member may only access information necessary to perform his or her designated role.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

1 other violation reported on the same date. Note that other citations may be about the same event: CDUH11.01