Mercy Medical Center

Report ID: 1G4H11, California Department of Public Health

Reported Entity: MERCY MEDICAL CENTER

Issue:

Based on staff interview and administrative document review the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's billing information was sent to a wrong address.2. Patient 2's laboratory information was given to another patient.3. Patient 3's discharge instructions were given to another patient.4. Patient 4's label information was placed on another patient's discharge information.5. Patient 5's information was given to Patient 6 in error when both patient names were identical except for the beginning letters of the first name.This failure placed Patient 1, 2, 3, 4, and 5's PHI at a potential risk for unauthorized use.Findings;Refer to CA003427131. On 5/23/13 at 10:15 a.m., the Privacy Officer (PO) stated the billing agency for the hospital had an old address for Patient 1. The Personal Health Information (PHI) of Patient 1 was sent to the last known address for Patient 1 and was opened in error by the new occupants at the address. The PHI that was breached included Patient 1's full name, the Emergency Department date of service, account number and the balance of the account. The billing agency failed to validate Patient 1's address with the Postal Service prior to their mailing the PHI. In the documents provided it was also noted Patient 1's date of birth was also breached.The Privacy Officer indicated the agency was a contracted service for collection purposes and in the future the billing agency was to place the account on hold until the address change could be verified, and to validate the address with the US Postal Service. They were to periodically call any patient at the phone number provided to verify the address. The agency was to "vet out" potential gaps in relation to the fast forward address process.Refer to CA003429312. On 5/23/2013 at 11:45 a.m., the Privacy Officer (PO) stated Patient 2's information was breached to another patient. The PO stated the event occurred on the 7 th floor of the hospital. Patient 2's laboratory information was given to another patient. Review of the documented evidence showed the information breached included Patient 1's name, date of birth, gender, phone number, account number, room number, attending physician name, name of the lab test and the results. The facility policy for Protected Health Information dated 12/09 contained the following under the section titled I. Policy: "it is the policy of ...to comply with state and federal regulations regarding the safeguarding of physical ...PHI. Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity".Refer to CA003433883. On 5/23/13 at 11:30 a.m., the Privacy Officer (PO) stated Patient 3's Personal Health Information was breached when the Emergency Department staff failed to check a patient's identification bracelet prior to giving them discharge paperwork. The discharge paperwork went to the wrong patient. When Patient 3 returned to obtain her paperwork, staff realized the error. Staff stated what should have happened was that staff were to check the identification bracelet to verify the Patient. In this case staff took a patient's verbal response as indication of their identity.Review of the documented evidence showed the information breach included the Patient 3's full name, service dated, account number, medical record number, attending physician, reason for visit, medication ordered, and location of service.The facility policy for Protected Health Information dated 12/09 contained the following under the section titled I. Policy: "it is the policy of ...to comply with state and federal regulations regarding the safeguarding of physical ...PHI. Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity".Refer to CA003499224. On 5/23/13 at 10:54 a.m., the Privacy Officer (PO) stated Patient 4. deification label was placed on another patient' s discharge instructions. The information printed onto the discharge instructions included Patient 4's name, service account number, medical record number, service location and the name of the attending physician. This occurred when a physician printed out the discharge instructions for his patient, but the staff who handed the instructions to another patient failed to verify the identity of that patient so even though the instructions were for the right patient, the wrong patient's (Patient 4) name was on the documents.The documents reviewed showed the information that was breached was: Patient 4's name, service account number, medical record number, service location and the name of the attending physician. The facility policy for Protected Health Information dated 12/09 contained the following under the section titled I. Policy: "it is the policy of ...to comply with state and federal regulations regarding the safeguarding of physical ...PHI. Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity".Refer to CA003531415. On 5/23/13 at 11:00 a.m., the Privacy Officer (PO) stated Patient 5's registration face sheet, Notice of Privacy Practices and a copy of Patient 5's patient advocate form were given to another patient. This occurred because both patients had the same name with only the first letter of the first name being different. One patient's first name started with a C and the other patient's first name started with a K. The documents reviewed showed the information breached was: Patient 5's name, address, telephone number, insurance information, employer, date of birth, hospital account number, medical record number and the name and contact information the person to notify as necessary.The facility policy for Protected Health Information dated 12/09 contained the following under the section titled I. Policy: "it is the policy of ...to comply with state and federal regulations regarding the safeguarding of physical ...PHI. Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity".

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights