Mercy Medical Center

Report ID: 7CZ011, California Department of Public Health

Reported Entity: MERCY MEDICAL CENTER

Issue:

Based on staff interview, clinical record review, and administrative document review, the facility failed to ensure confidential treatment of protected health information (PHI) when:1. Patient 1's patient label was placed on Patient 2's mammography requisition (a form filled out by a family care clinic requesting a screening mammography). (CA00380156) 2. A rounding sheet (a form used by resident physicians) fell out of Physician 1's pocket while at a gas station. The rounding sheet had PHI of Patients 3, 4, 5, 6, 7, 8, 9, and 10. (CA00379787)3. Emergency Department (ED) staff gave Patient 11 and 13's discharge instructions to the wrong patients. (CA00376713)These failures resulted in unauthorized access to Patient 1, 3, 4, 5, 6, 7, 8, 9, 10, 11, and 13's confidential information and had the potential for abuse of that information. Findings:(CA00380156)1. On 12/30/13 at 9:45 a.m., the Privacy Coordinator (PC) stated a staff member at a family care clinic, associated with the hospital, attached Patient 1's label to Patient 2's mammography requisition form. The PC stated the staff member did not ask Patient 2 what her name was and check the form for the correct name. The PHI on the label included Patient 1's name, date of birth, age, sex, and account number. The hospital policy and procedure titled, "Protected Health Information and Sensitive Information, Safeguarding of" dated 12/09, indicated "I. Policy: It is the policy of [hospital] to comply with state and federal regulations regarding the safeguarding of physical and electronic form of Protected Health Information (PHI)."(CA00379787)2. On 12/30/13 at 9:53 a.m., the Privacy Coordinator stated Physician 1 stopped at a gas station and a rounding sheet fell out of his pocket. Physician 1 left the gas station without picking up the rounding sheet. The PC stated PHI of Patients 3, 4, 5, 6, 7, 8, 9, and 10 were on the sheet. The PC stated Physician 1 should have secured the rounding sheet prior to exiting his vehicle. The PHI included the patients' names, addresses, age, sex, medical diagnosis, laboratory results, imaging results, and medical record numbers. The hospital policy and procedure titled, "Protected Health Information and Sensitive Information, Safeguarding of" dated 12/09, indicated "...IV. Guidelines:...F. Hard copies of PHI or Sensitive Information transported between or outside the Facilities shall be locked in a closed container when attended or unattended...I. Employees must maintain possession and use appropriate physical safeguards for the use, maintenance, and transportation of such PHI to prevent unauthorized access while the documents are off site. This may include placing the PHI in the trunk of the vehicle..." (CA00376713)3. On 12/30/13 at 10 a.m., the Privacy Coordinator (PC) stated two breaches occurred in the Emergency Department (ED): a. Patient 11's patient information was printed on discharge instructions for Patient 12. The discharge instructions were given to Patient 12. The PC stated the Physician's Assistant did not check that the correct patient name was on the discharge instructions. b. Patient 13's patient information was printed on discharge instructions for Patient 14. The PC stated RN 1 did not check which patient profile he had opened on the computer before printing the discharge instructions. RN 1 did not check the patient name on the discharge instructions against the patient to be discharged. Patient 11 and 13's PHI breached included names and medical record numbers.The hospital policy and procedure titled, "Protected Health Information and Sensitive Information, Safeguarding of" dated 12/09, indicated "I. Policy: It is the policy of [hospital] to comply with state and federal regulations regarding the safeguarding of physical and electronic form of Protected Health Information (PHI)."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights