ORANGE COUNTY GLOBAL MEDICAL CENTER

Report ID: NQQK11, California Department of Public Health

Reported Entity: ORANGE COUNTY GLOBAL MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to prevent the disclosure of 28 patients' (Patient A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, Sa, Sb, Sc, Sd, Se, Sf, T, U, V and X) protected health information (PHI) to unauthorized individuals.Findings:1. Review of hospital documents showed, on 2/6/14, the Hospital Compliance Officer (HCO) was made aware a breach of Patient A's PHI occurred.The hospital's investigation showed Patient A's face sheet was inadvertently faxed to the wrong medical group.Patient A's disclosed PHI included name, address, phone number, date of birth (DOB), account number, medical record number (MR#), treatment date, physician's name, employer name with address and phone number, emergency contact information, insurance number and admitting diagnosis.2. Hospital documentation showed on 2/9/14, a patient inadvertently received Patient B's laboratory test results in their discharge follow-up packet. It was discovered when the patient went to the hospital's Emergency Room and gave the discharge follow-up packet to a nurse. Patient B's disclosed PHI included name, MR#, account number, DOB, ordering physician's name and laboratory test results.3. Review of hospital documentation showed on 3/9/14, a patient was discharged to another care facility with the clothes and wallet belonging to Patient C.Patient C's disclosed PHI included name, DOB, address, social security number (SS#), health plan name and member number and prescription card information.4. On 3/23/14, the hospital began the investigation regarding the missing paper portion of Patient D's medical record. It was last seen at approximately 0630 hours on 3/23/14, in the chart rack of the 6th floor medical surgical unit. At 0800 hours, staff and the House Supervisor searched but could not locate the record. The Director of the Unit was called and also searched. By the time staff looked in the Unit's trash it was already emptied by Environmental Service staff. Per the Environmental Service Supervisor, the trash was already picked up and was at the site and most likely shredded.Patient D's potentially disclosed PHI included the face sheet (name, address, DOB, account number, MR#, phone number, all health insurance information, authorization number and admitting diagnosis), Progress Notes dated 3/18/14 to 3/22/14 (patient's health status, interventions and plans), Condition of Services form, Consent(s), two Preliminary Radiology Reports (preliminary radiology test results), Right to Receive Visitor's form, Advanced Directives Checklist (none), Patient Notice of Admission Acknowledgement form, Stop Smoking form, at least one Physician Order form dated 3/18/14, and a Radiology Patient Questionnaire.5. Review of hospital documents showed, on 4/17/14, Patient E had clearly written the physician's fax number on the authorization to release his medical records. However, after faxing the patient's request a call was received that the medical records were faxed to a personal fax of an unknown recipient instead of the physician's office. It was discovered Patient E had incorrectly written the fax number by one digit. Patient E's disclosed PHI included name, DOB, address, SS# and phone number, MR#, account number, physician's information, reason for request, information requested and next treatment for mental health, treatment of alcohol and/or drug abuse, diagnosis of AIDS or HIV (implied), History and Physical, consultations, electrocardiogram results, four x-ray results, twenty pages of laboratory results and location in the facility.6. On 4/24/14, the HCO was notified a breach of Patient F's PHI occurred.Hospital documentation showed on 4/23/14, a patient was discharged home with the prescription and discharge instructions belonging to Patient F.Patient F's disclosed PHI included name, diagnosis and prescribed medication. 7. Review of hospital documents showed the HCO was notified a breach of Patient G's PHI occurred on 5/8/14.On 5/13/14 an email from a health insurance company was received by the Director of Utilization Review stating they were unable to identify the patient for whom they received documentation; they believed the information was sent in error. The Director investigated and discovered the patient account number given to her by a staff in the Central Billing Office (CBO) to send clinical information to open a claim was incorrect. Patient G's clinical information was sent to an unintended health insurance company.Patient G's disclosed PHI included name, DOB, SS#, MR#, account number, insurance and physician information, service dates and procedures with results, case management progress and discharge planning notes.8. Review of hospital documentation showed, on 5/23/14, a CBO staff received a call from a business stating they received Patient H's medical record documentation in error. Investigation showed Patient H's medical record documentation and claim were sent to the address in the system on 5/13/14. However, a note, dated 4/2/14, showed claims were to be sent to a certain address different than that which was in the system. The health insurance information in the system for Patient H was incorrect and the note was overlooked when the claim was sent out.Patient H's disclosed PHI included face sheet (name, address, DOB, account number, MR#, phone number, all health insurance information, authorization number and admitting diagnosis), History and Physical (physical assessment with current and past health information), Physician Progress Notes (patient's health status, interventions and plans), Emergency Department visit records, medications and Discharge Summary form.9. Review of hospital documentation showed, on 5/25/14, a breach of Patient I's PHI occurred.During the discharge of a patient, the Medication Reconciliation and Discharge Instructions forms belonging to Patient I were signed and sent home with the patient.Patient I's disclosed PHI included name, DOB, MR#, account number, medications prescribed and the discharge instructions for a specified diagnosis.10. Hospital document review showed a breach of Patient J's PHI occurred on 6/4/14.A staff attempting to fax Patient J's clinical review to a specified payor inadvertently faxed it to an unintended payor. Patient J's disclosed PHI included name, DOB, MR#, account number and SS#, admission date, room number, admitting diagnosis, attending physician, insurance information and detailed patient history, medications, laboratory results and multiple pages of case management notes containing additional clinical information.11. Review of Hospital documents showed on 6/9/14, the HCO was notified a breach of Patient K's PHI occurred.Patient K's registration information showed the correct insurance payor however, a staff documented an incorrect payor name on the patient's face sheet. As a result, another staff faxed Patient K's face sheet to the wrong insurance payor.Patient K's disclosed PHI included name, DOB, MR#, account number, address and insurance information, physician's name, admitting diagnosis, level of care (Intensive Care Unit) and comments showing medical condition and laboratory test results.12. Review of hospital documents showed, on 6/4/14, the HCO was notified a breach of Patient L's PHI occurred on 5/15/14. Staff inadvertently attached Patient L's medical records to another patients claim documents that was sent to their payor.Patient L's disclosed PHI included the face sheet (name, DOB, address, MR#, account number, date of service, hospital name and reason for visit), History and Physical forms (past and current physical status and medical history), consultation reports, physician orders, medications, laboratory and radiology test results and the discharge summary (detailed medical status and plan for discharge).13. Review of hospital documents showed a breach of Patient M's PHI occurred on 6/12/14.On 6/12/14, a staff attempted to fax Patient M's face sheet to the patient's insurance payor but in error dialed one digit incorrectly and inadvertently sent it to an unintended recipient.Patient M's disclosed PHI included name, DOB, MR#, account number, dates of admission and discharge, physician's name, diagnosis and insurance information.14. Hospital documents showed, on 6/12/14, a staff inadvertently faxed Patient N's PHI to unintended recipient. Patient N's disclosed PHI included name, address, phone number, DOB, SS#, diagnosis, physician name, date of injury, type of treatment ordered, last day worked, insurance information, employer information, occupation and work status.15. Review of hospital documentation showed, on 6/24/14, the HCO was notified a breach involving Patient O occurred.A consultant group contacted Patient O for a patient satisfaction survey regarding the hospital's services at which time Patient O informed them she believed the hospital violated her privacy. The consultant group notified the hospital's HCO, who then contacted Patient O for follow up. Patient O stated, while in the recovery room on 5/23/14, she observed staff showing portions of her medical record and discussing the after-care instructions for her care with her family without first obtaining her consent.16. Review of hospital documents showed a breach involving Patient P occurred on 6/27/14.On 6/30/14, family of a patient brought a letter to the CBO that had Patient P's information but was inadvertently sent to the wrong address. Patient P's disclosed PHI included name, account number and date of admission.17. Review of hospital documentation showed on 7/7/14, the HCO was notified a Case Management Liaison unknowingly picked up Patient Q's information from the printer and inadvertently faxed it along with the intended documents. Patient Q's disclosed PHI included name, DOB, MR#, account number, accession number, study date, study performed, study results, and the name of the attending and ordering physicians.18. On 10/8/14, the hospital's HCO was notified a patient received a prescription for the correct medication however it had another patient's name on it, Patient R.Patient R's disclosed PHI included name and DOB.19. Review of hospital documentation showed, on 10/31/14 and 11/1/14, computerized tomography (CT) scans and magnetic resonance imaging (MRI) services were performed without a service/business agreement in place and patient information was left at the offsite location's computer system. Patients Sa, Sb, Sc, Sd, Se and Sf's disclosed PHI included name, DOB, MR# and account number.20. Hospital documents showed on 12/12/14, the HCO was notified the Business Office was informed an appeal medical record packet belonging to Patient T was sent to the wrong guarantor, in error.Patient T's disclosed PHI included a complete copy of the medical record for the latest hospitalization dated 11/4 to 11/12/14, which contained name, DOB, SS#, address, phone number, MR#, account number, health plan information, physician name, admitting diagnosis and emergency contact information. 21. Review of hospital documents showed a breach of Patient U's PHI occurred on 12/24/14.As a Health Information Management staff was processing the discharged patients' medical records for 12/24/14, staff found Patient U's discharge instruction form was given to another patient in error.Patient U's disclosed PHI included name, DOB, MR#, account number and date of service.22. Review of hospital documents showed, on 12/26/14, the HCO was notified a breach involving Patient V occurred. The hospital's investigation showed a staff processing requests of information inadvertently sent the incorrect patients medical record to a physician's office.Patient V's disclosed PHI included name, DOB, MR#, account number, date of admission, diagnosis, final diagnosis document, physician assessment, laboratory test results, newborn hearing screening report, and page one of the patient profile including the immunization record.23. Review of the hospital's investigation showed on 12/28/14, Patient X's physician called and left a message for the patient's family member. However, the person who received the message left by the physician called the hospital's nursing supervisor to notify the message was received at the wrong phone number.Patient X's disclosed PHI included last name, date of service, need for a blood transfusion and a request to discuss consent for the blood transfusion. On 2/27/15 at 1000 hours, a conference call with the HCO confirmed the breaches of PHI occurred as documented.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280