Good Samaritan Hospital

Report ID: CDUH11.01, California Department of Public Health

Reported Entity: GOOD SAMARITAN HOSPITAL

Issue:

Based on interview and record review, the hospital failed to protect the patients' right for confidentiality of patient records for six of seven sampled patients (1, 2, 3, 4, 5, 6, and 7), when:1) Patient payment receipts for five patients (1, 2, 3, 4, 5) were mailed to unauthorized individuals. 2) A receipt for payment disclosing Patient 2's personal information was mailed to Patient 7. The above failures resulted in disclosure of patient identifiable information to unauthorized individuals. Findings:1. On 3/12/14, the California Department of Public Health received an online report from the hospital's privacy officer (PO) which indicated information for five patients was sent to an unauthorized individual by the hospital's business associate (BA).During an interview on 7/18/14 at 10:25 a.m., the PO stated the BA, which is part of the hospital's billing department, did not include "end sets" during the printing process. An "end set" separates each patient's information. This failure resulted in 251 patients' receipts being packaged in one box and mailed to the patient who had the first receipt in the box. There was a total of four boxes, each containing 251 patient receipts. A total of 1,000 patients were affected, but only five patients were from the hospital. The PO also stated the receipts included the patient's name, address, account number, admission and discharge dates, original charges, and payments. According to the PO, she believed none of the receipts contained the names of any hospitals. The PO further stated as of 2/7/14, only two of the boxes had been retrieved. The PO stated she did not know how many of the receipts had been looked at by unauthorized individuals. The PO confirmed no medical information was disclosed.On 7/18/14, review of a copy of a letter sent from the BA to the hospital, dated 2/28/14, indicated the BA sent a file to a printer for printing and mailing. The file did not contain "end of set" marks to separate the printing and mailing of letters. A programmer at the printer identified the error and requested a new file. Less than three hours later, the BA sent a corrected file to the printer for processing. The corrected file was printed and mailed appropriately. However, the printer did not follow the proper steps to remove the initial, incorrect file from the print and mail stream. Specifically, the printer's project manager who was responsible for retracting the original, incorrect file from production did not follow the "Jobs on Hold" standard operating procedure. As a result, the file was printed instead of being removed. The statements were then manually assembled into four packages, each containing 251 statements. The packages were mailed to the first patient identified on each of the four packages. A total of 1,000 patients were affected by this incident.A review of a copy of a letter mailed by the hospital on 3/12/14 to Patients 1, 2, 3, 4, and 5 indicated the patients' personal information contained in the hospital records had been inadvertently disclosed to another patient. The information which may have been disclosed included the patient's name, address, patient account number, admission and discharge dates, amount charged, and payment amounts.2. The California Department of Public Health received an online report on 7/31/13, which indicated Patient 7's payment was inadvertently posted on Patient 6's account. Patient 7 received a receipt disclosing Patient 6's name and account number.During an interview on 7/18/14 at 11:30 a.m., the (PO) stated Patient 7 made a payment and received a receipt. Patient 7's payment was inadvertently posted to Patient 6's account. The receipt Patient 7 received disclosed Patient 6's name and account number. Patient 7 telephoned the hospital admitting department after he noticed the receipt was not his. Patient 7 then mailed the original receipt to the hospital.A review of a copy of the receipt Patient 7 had received from the hospital indicated Patient 6's name and account number had been disclosed. A review of a copy of a letter sent on 7/30/13 from Patient 7 to the hospital indicated his payment had been applied to another patient's (Patient 6) account. Patient 7 had returned the incorrect receipt in order to reapply the payment to Patient 7's account.A review of a copy of the letter sent by the hospital on 7/31/13 to Patient 6, indicated his name and hospital account number had been disclosed to an unauthorized individual.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Related Reports:

1 other violation reported on the same date. Note that other citations may be about the same event: MR1311.01