SAN RAMON REGIONAL MEDICAL CENTER

Report ID: F4QC11.06, California Department of Public Health

Reported Entity: SAN RAMON REGIONAL MEDICAL CTR

Issue:

Based on interview and record review, the hospital failed to ensure confidential treatment of patient medical information was protected and was not made available to anyone not directly concerned with the care for 11 patients (Patients 1, 3, 4, 5, 6, 7, 8, 9, 12, 14 and Patient 16) as evidenced by:Patient 1's records were transferred with Patient 2 to another facility;Patient 3, 4, 5, 6, and 7's records were faxed to a private business;Patient 8's medical records were faxed to a private business; Patient 10 received medical records pertaining to Patient 9;Patient 15 received medical records pertaining to Patient 14;Patient 12's medical records were faxed to a private business;Patient 16's medical records were faxed to the patient's employer.These failures had the potential to cause each affected patient the loss of dignity and privacy and risk for identity theft.Findings:Review of the undated facility policy "Privacy Policy Overview", received on 4/24/13, showed that the facility holds the Corporate Privacy/Security Officer responsible for working with "Corporate Compliance to ensure achievement and maintenance of compliance with the Privacy Policies and Procedures and legal obligations". The policy further stated that the facility defined Protected Health Information (PHI) as "individually identifiable health information".Review of the facility policy "Information Handling Procedure", dated 10/10/00 and revised 6/13/06, showed that the facility expectation was that "protected health information records shall receive special handling", and that confidential information "shall be delivered directly to the designated recipients". This policy further outlines the facility's fax policies, including the requirement that "if the Fax number has not been previously used, a cover sheet shall first be sent and acknowledged by the recipient. After this test is performed, the confidential and/or proprietary information may be sent". The policy further required that faxes sent outside the facility must include a cover page with the recipient's name, fax, and telephone numbers, the number of pages in the fax, and the following language: "The information in this communication is confidential and is directed only to the intended recipient. Please do not forward this communication without my permission. If you have received this communication in error, please notify me immediately and delete/destroy this communication."Review of the undated facility policy "Mitigation and Sanctions Procedure", received on 4/24/13, showed that the facility required all employees to promptly report any violation of the privacy policies to the Corporate Privacy/Security Officer by phone or fax. Review of the undated facility policy "Training Requirements Procedure", received on 4/25/13, showed that all employees "must be provided training concerning [facility]'s policies and procedures regarding the privacy of Protected Health Information".Review of the facility policy "Patient Transfer to and from Another Acute Care Facility", dated 12/89 and last revised 9/10, showed that when a patient was transferred to another hospital, the facility must send copies of the patient's medical records, which must be reviewed by the charge nurse at the time of transfer.Review of the facility policy "Discharge of Patients from the Emergency Department", dated 10/11 and revised 7/12, showed that "all patients discharged from the Emergency Department will receive condition-appropriate instructions and appropriate referrals". Review of the facility's educational presentation titled "2009 CA Privacy Law Update", received on 4/26/13, showed that employees are instructed that all hospital employees are responsible for understanding and enforcing privacy regulations. The presentation further informed employees that all violations of patient information privacy must be reported to the Department and the patient within 5 days of discovery. The presentation included misdirected faxes and discharge instructions given to the wrong patient as examples of violations that must be reported. 1. In an interview on 4/24/13 at 3:00 p.m., the Compliance Officer (CO) stated that on 12/21/12 Patient 1 was admitted to the Emergency Department. Patient 2 was transferred to another Acute Care Hospital on 12/21/12. The CO stated that Staff 1 included some of Patient 1's records in the transfer packet sent with Patient 2 to the new facility. The CO stated that the Emergency Department Clinical Manager was notified of the breach on 12/21/12, and waited for the Emergency Department Director to return from vacation to ask if it needed to be reported. The CO stated that he was notified of the breach on by email on 12/28/12, though he did not receive the email until 1/2/13, and notified the Department and Patient 1 by certified mail on 1/3/13.Record review showed that the records sent with Patient 2 included a laboratory report for Patient 1, dated 12/21/12. The report included Patient 1's full name, sex, date of birth, Medical Record Number, and account number as well as the laboratory results themselves. 2. In an interview on 4/24/13 at 3:00 p.m., the Compliance Officer (CO) stated that on 2/12/13 Staff 6 faxed Patient 3, 4, 5, 6, and 7's confidential health information to a private business instead of the physician's office for whom it was intended. The CO stated that the information was a list of patients to be discussed at the Tumor Board meeting planned for that month, with general information about those patients. Record review showed that the records sent to the private business, titled "Tumor Board Referrals February 14, 2013", included the names, dates of birth, medical record numbers, diagnoses, and tests performed for Patients 3, 4, 5, 6, and 7. 3. In an interview on 4/24/13 at 3:00 p.m., the Compliance Officer (CO) stated that on 2/20/13 Staff 7 attempted to fax Patient 8's records to the county Public Health Department but instead faxed them to a private law firm due to a typing error when dialing the fax number. The law firm faxed the report to the county Public Health Department, who notified the facility of the breach.Review of the record titled "Confidential Morbidity Report", sent to the private law firm, showed that the information included Patient 8's name, home address, home phone number, date of birth, age, sex, race, and the diagnosis of a communicable disease (a disease which can be spread from one person to another). 4. In an interview on 4/24/13 at 3:00 p.m., the Compliance Officer (CO) stated that on 2/27/13, Staff 8 included some of Patient 9's records in discharge instructions given to Patient 10. Review of the records showed that Patient 10 received Patient 9's laboratory and ultrasound reports, which were dated 2/27/13. These reports included Patient 9's name, sex, date of birth, Medical Record Number, account number, laboratory results, and pelvic and transvaginal ultrasound results.5. In an interview on 4/24/13 at 3:00 p.m., the Compliance Officer (CO) stated that on 3/13/13, Staff 11 included some of Patient 14's records in discharge instructions given to Patient 15. Record review showed that the records belonging to Patient 14 which were given to Patient 15 included a document titled "Nurse's Notes", dated 3/13/13. The document included Patient 14's name, date of birth, sex, age, Medical Record Number, account number, medical and surgical history, home medications, social history, vital signs, physical assessment, treatment interventions, and medications given in the Emergency Department. 6. In an interview on 4/24/13 at 3:00 p.m., the Compliance Officer (CO) stated that on 3/15/13, Staff 9 was attempting to send Patient 12's clinical records to a rehabilitation facility to which Patient 12 was to be transferred. However, Staff 9 mistyped the fax number and sent the records to a private business. The error was discovered on 3/15/13 when the private business notified the facility.Record review of the misdirected fax included two pages titled "Transmission Verification Report" (TVR). One TVR included a fax number and was timed 3/15/13 at 1:13 p.m. The other TVR included a fax number with one digit changed and was timed 3/15/13 at 1:19 p.m. The cover sheet included the fax number found on the second TVR. The clinical record attached to the cover sheet and TVRs included a document with the following information: Patient 12's name, address, occupation, date of birth, place of birth, age, race, sex, social security number; spouse's name, address, and phone number; child's name, address, and phone number; financial information including Medicare and insurance status with Medicare and private insurance identification numbers; and diagnosis. The record further included a document titled "History and Physical", dated 3/12/13. This document included extensive medical history, history of the present illness, mental health treatment information, alcohol use history, and treatment plan. The record also included a document titled "Cardiology Consultation", dated 3/12/13, which included medical history, physical assessment, medications, test results, and treatment plan. The record also included a document titled "Operative Report", dated 3/13/13, which included a detailed description of a surgical procedure performed on Patient 12. The record also included a document titled "PT Initial Evaluation", dated 3/14/13, which included a detailed description of Patient 12's physical status, including an assessment of Patient 12's ability to use the toilet. The record also included a report of medications administered during the hospital stay, dated 3/15/13, which included medications used to treat mental health conditions.7. In an interview on 4/24/13 at 3:00 p.m., the Compliance Officer (CO) stated that on 4/11/13, Staff 12 sent detailed medical records to Patient 16's employer. The CO stated that Staff 12 was preparing clinical records to send to the facility to which Patient 16 was being transferred at the same time as an absence excuse for the employer. Staff 12 inadvertently sent the clinical records to the employer along with the absence excuse. Record review of the documents sent to Patient 16's employer included a form titled "Face Sheet", dated 3/28/13, which included Patient 16's name, date of birth, race, marital status, Medical Record Number, Social Security number, home address, sex, phone number, chief complaint, and insurance information including insurance company name and Patient 16's identification number. The form also included the name, address, and phone number of Patient 16's emergency contact. The record further included a document titled "H&P", dated 3/28/13, which included a history of the present illness, medical, social, and family history, and current medications, including medications used to treat mental health conditions. Also included was a document titled "Discharge Summary", dated 4/11/13, which included the name of the facility Patient 16 was being transferred to. This document included a detailed description of the hospital course. The record also included a document titled "Operative Report", dated 3/28/13, which included a detailed description of a surgical procedure performed on Patient 16. The record further included a document titled "Gastroenterology Consultation", dated 3/28/13, which included a detailed description of Patient 16's medical condition, vital signs, social and family history, laboratory results, and plan of care. The record also included a document titled "Consultation", dated 3/28/13, with a detailed description of Patient 16's medical status. The record further included a document titled "Infectious Disease Consultation", dated 3/30/13, which included a detailed description of Patient 16's medical condition, surgical procedure, and infectious disease status. The record also included a document titled "CM/SS Note" dated 3/29/13. This record was signed by a social worker and included personal information about Patient 16 and emergency contact, including the emergency contact's phone number.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Related Reports:

The report containing this deficiency also includes information about 5 other violations. Note that these may be related to the same event: F4QC11.01, F4QC11.02, F4QC11.03, F4QC11.04, F4QC11.05