AHMC ANAHEIM REGIONAL MEDICAL CENTER

Report ID: QQHB11, California Department of Public Health

Reported Entity: AHMC ANAHEIM REGIONAL MEDICAL CENTER

Issue:

Based on interview and hospital document review, the hospital failed to prevent the unauthorized disclosure of the protected health information (PHI) of 15 patients' (Patients E, F, G, H, J, K, L, M, Na, Nb, O, R, S, T and U).Findings: 1. On 4/5/12, the hospital became aware Patient E's PHI was disclosed on 6/23/11. Review of the hospital's documentation showed Patient E's PHI was disclosed to a representative of another patient when a request for information was accidentally processed incorrectly by the hospital's release of information vendor (HealthPort). The Vendor released the wrong patient information to the requestor.Patient E's disclosed PHI included name, date of birth (DOB), medical record number (MR#) and account number.2. Review of the hospital's documents showed a breach of Patient F's PHI occurred on 4/30/12.A malfunction, called by the hospital to be a fax machine "hiccup," occurred when the auto-dialer of the fax machine reported a dictated report pertaining to Patient F was correctly sent to the physician; however, it was in fact sent to a community business and not the intended recipient. Patient F's disclosed PHI included name, MR#, account number and the operative report containing physician name, pre-operative diagnosis, post-operative diagnosis and description of the operation.3. Hospital documentation showed a breach of Patient G's PHI occurred on 4/30/12. On 4/30/12, during a transfer of a patient to another care facility, Patient G's PHI was inadvertently included.Patient G's disclosed PHI included name, DOB, MR# and account number and type of diagnostic lab disclosed in the physician's orders.4. Review of the hospital's documents showed on 5/1/12, the discharge instructions and medication reconciliation forms belonging to Patient H were inadvertently given to another patient also being discharged.Patient H's disclosed PHI included name, MR#, account number, DOB, age and medications.5. Hospital documentation showed a breach of Patient J's PHI occurred on or about 7/16/12.The PHI belonging to Patient J was inadvertently disclosed to the patient's attorney by the hospital's release of information vendor (HealthPort).Patient J's disclosed PHI included name, MR#, account number and clinical information in the form of evaluation, review of systems and a physical examination of the patient by an emergency department (ED) physician and registered nurse (RN).6. Hospital documentation showed Patient K's PHI was accidentally faxed to the incorrect healthcare entity. The PHI was disclosed in the patient's face sheet and obstetrical discharge instructions.Patient K's disclosed PHI included name, DOB, MR# and account number, admitting diagnosis and admitting procedure.7. Review of hospital documentation showed Patient L's PHI, in the form of a face sheet, was inadvertently faxed to an incorrect healthcare entity.Patient L's disclosed PHI included name, DOB, MR# and account number, address, phone number and insurance contacts with names and phone numbers.8. Review of hospital documentation showed on 10/23/12, Patient M's discharge instructions were inadvertently given to another patient also being discharged.Patient M's disclosed PHI included name, DOB, MR#, account number and instructions specific to Patient M's discharge diagnoses and condition.9. Hospital documentation showed on behalf of an audit request, the hospital's release of information vendor (HealthPort) electronically scanned the medical record of the patient requested; however, on 11/9/12, hospital staff discovered PHI belonging to Patient Na and Nb was misfiled in that patient's medical record.Patient Na's disclosed PHI included discharge instructions with name, DOB, age and MR#. Patient Nb's disclosed PHI included medications. 10. Review of the hospital's documentation showed Patient O's PHI was accidentally placed on another patient's discharge instructions on 5/7/13.Patient O's disclosed PHI included name, DOB and account number.11. Hospital documentation showed a breach of Patient R's PHI occurred on 12/17/13.During the transfer of another patient, the Medication Administration Record form belonging to Patient R was inadvertently placed in the transferred patient's medical record and sent to another healthcare facility.Patient R's disclosed PHI included name, DOB, MR#, account number and medications.12. Review of hospital documentation showed the hospital's contracted release of information vendor (HealthPort) staff was involved in inadvertently sending PHI belonging to Patients S, T and U to an unauthorized entity.On 1/28/14, while sending the medical record of another patient via fax, Patient U's magnetic resonance image (MRI) of the brain report was inadvertently faxed with the other documents. The requesting entity called the HealthPort staff to inform the hospital the requested medical records was not received. In gathering the requested medical records, another staff also picked up operative reports belonging to Patients S and T and faxed them to the entity along with the requested records. The receiving entity then contacted the HealthPort staff again to inform them the documents received contained PHI belonging to patients for which they had not requested records. Patient U's disclosed PHI included name, DOB, MR# and account number. The diagnosis and findings were included in the report of the MRI of the brain. Patients S and T's disclosed PHI included name, DOB, MR# and account number. The diagnoses and findings were included in the patients' operative reports. On 8/29/14 at 1400 hours, a conference call with the Interim Director of the Health Information Management Department confirmed these breaches of PHI occurred as documented.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280