LOMA LINDA UNIVERSITY MEDICAL CENTER

Report ID: X94Q11.01, California Department of Public Health

Reported Entity: LOMA LINDA UNIVERSITY MEDICAL CENTER

Issue:

Based on interview and record review the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI) when a Transplant Patient Assistant sent via mail Patient A's medical documents to Patient B. This resulted in an unauthorized disclosure of Patient A's PHI.Findings:On November 14, 2014 at 12:15 PM, a phone interview was conducted with the Director of Compliance, Privacy and Security regarding an entity reported incident of a breach of Patient A's PHI detected by the facility on June 2, 2014. The Director of Compliance, Privacy and Security stated that Employee 1 inadvertently sent via mail, Patient A's medical documents which contained Patient A's name, medical record number, date of birth, phone number, address, insurance provider, insurance group number, diagnosis and treatment orders to Patient B. Patient B notified the facility and agreed to return the documents. Subsequently, on June 10, 2014 the returned documents revealed that in addition to the above PHI, the following PHI was breached as well: Patient A's last 4 digits of his Social Security number, insurance policy number and lab order descriptions. The Director of Compliance, Privacy and Security stated that Employee 1 failed to review the documents before mailing them to ensure that they were the correct documents.The Director of Compliance, Privacy and Security stated that Patient A was notified on June 6, 2014 of the breached PHI and again on June 20, 2014 when it was discovered that additional PHI on the documents were breached as well.On December 17, 2014 at 2 PM, a phone interview was conducted with Employee 1 regarding an entity reported incident of a breach of Patient A's PHI. Employee 1 stated she inadvertently sent to Patient B medical documents that contained PHI of Patient A's. Employee 1 stated that she did not follow the facility's policy and procedures.A copy of the letter sent to Patient A dated June 6, 2014 informing him about the breach of PHI was reviewed. In addition, a copy of the letter sent to Patient A dated June 20, 2014 informing him about the returned document that contained additional breached PHI was reviewed.A review of the medical documents for Patient A was reviewed and showed that the patient name, gender, date of birth, address, last 4 digits of the Social Security number, patient ID number, phone number, insurance company name, insurance group number, insurance policy number and laboratory test names were on the records that had been sent to Patient B.Employee 1's training record was reviewed and indicated education in HIPAA compliance, information security, confidentiality and disclosure of PHI. A document titled "Confidentiality Statement" with Employee 1's signature and dated January 4, 2005 was reviewed.A review of the facility's policy and procedure titled "Patients' Rights, Protection of Patient Privacy" dated May 2013 reflects, "All Medical Center employees, ..., shall be responsible for maintaining the confidentiality of patient information. This responsibility shall include personal observations, oral conversations, the designated record set and its contents, and any other electronically stored or written patient or patient-related data.".The facility failed to ensure the correct medical documents were sent to the correct patient resulting in an unauthorized release of Patient A's PHI.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Related Reports:

4 other violations reported on the same date. Note that other citations may be about the same event: 3VR111.01, C46L11.01, E1PM11, J9XQ11.01