Los Alamitos Medical Center

Report ID: H53M11, California Department of Public Health

Reported Entity: LOS ALAMITOS MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to prevent the disclosure of 26 patients' (Patients Aa, Ab, B, Ca, Cb, D, E, G, H, I, J and 15 patients identified as Fa through Fo) protected health information (PHI) to unauthorized individuals.Findings:1. Review of hospital documents showed, on 4/20/13, the Hospital Compliance Officer (HCO) was made aware a breach regarding the PHI of Patients Aa and Ab occurred on 4/1/13.On 4/20/13, a patient, who was discharged from the hospital's emergency department (ED) on 4/1/13, notified the hospital of discovering papers belonging to two other patients mixed with his discharge papers (Patients Aa and Ab). These two other patients were also in the ED on 4/1/13.The PHI belonging to Patient Aa disclosed a urinalysis (urine test) result which included name, age, hospital account number, medical record number (MR#) and the results of the urine test. The PHI belonging to Patient Ab disclosed a Stat (immediate) urinalysis order which included name, age, hospital account number and MR#.2. Review of hospital documentation showed the HCO was made aware a breach of Patient B's PHI occurred on 4/23/12.The hospital's investigation showed a patient who was in the ED on the same date as Patient B was discharged from the ED. However, the patient returned to the ED the following day to return documents belonging to Patient B he found among his own discharge instructions.Patient B's PHI disclosed included name, age, gender, height and weight, date of birth (DOB), medical record number (MR#) and account number along with current diagnosis and diagnosis history.3. On 4/27/12, the hospital notified the Department a breach of Patient Ca's and Cb's PHI occurred on 4/23/12.Review of the hospital's investigation showed a staff in the Internal Analytics Department discovered on 4/23/12, a spreadsheet with the patients' PHI was accidentally sent via e-mail to an unauthorized healthcare insurance company instead of the intended recipient.Patient Ca's and Cb's disclosed PHI included names, account numbers and account balances.4. Review of hospital documentation showed the HCO was made aware a breach of Patient D's PHI occurred on 5/5/12.The hospital's investigation showed on 5/5/12, Patient D was in the ED; however, another patient was inadvertently provided two pages of Patient D's Transition of Care documents upon discharge from the ED. Patient D was also discharged from the ED on 5/5/12.Patient D's disclosed PHI included name, age, DOB and gender, date of service, physician name and presenting symptoms with medications dispensed, account number, and medical record number.5. On 8/3/12, the HCO was made aware a breach of Patient E's PHI occurred on 8/2/12 in the ED.Review of the hospital's investigation showed another patient, also being discharged, was accidentally given Patient E's discharge instruction papers.Patient E's disclosed PHI included name, date of service, diagnosis, medications prescribed and physicians' names.6. On 3/1/13, the hospital's HCO was made aware of a list of patients whose PHI was inadvertently disclosed to the hospital's business associate which provides revenue cycle services. Review of the hospital's investigation disclosed a staff in the Business Office inadvertently faxed a document with included 15 patients which should not have been shared with the business associate. Patients Fa, Fb, Fc, Fd, Fe, Ff, Fg, Fh, FI, Fj, Fk, Fl, Fm, Fn and Fo's disclosed PHI included names, DOB, diagnoses and service dates. 7. Review of hospital's documents showed, on 5/10/13, the HCO was made aware a breach involving Patient G occurred.Another patient's medical record, with the exact name as Patient G, was accessed in error. Patient G's disclosed PHI included DOB, the care plan with the presenting complaint, medication names and doses, vital signs and weight, height, ordered laboratory studies, along with a note the patient was compliant to the physician to whom the patient was referred.8. On 5/8/13 a former patient contacted the HCO and reported finding Patient H's discharge papers among hers from a visit to the hospital's ED on 4/24/13.Patient H's disclosed PHI included a copy of her California Driver's License (picture, name, DOB, address, height, weight), a copy of an insurance eligibility search (tax identification number, SS#, DOB, coverage date), a copy of a Conditions of Service form (signed and dated by patient) and a copy of a Questionnaire & Smoking Cessation & Advance Directive document.9. On 10/22/13 the hospital's HCO was made aware a breach of Patient I's PHI was disclosed on 1/20/13 in the ED.Review of the hospital's investigation showed a physician inadvertently handed a laboratory form with blood value results to the incorrect patient. The patient who received the incorrect laboratory blood values asked a Registered Nurse (RN) to alert the physician to questions he had regarding some abnormalities of the test. The RN viewed the results and noted the laboratory blood test results belonged to Patient I.Patient I's disclosed PHI included name, DOB, MR# and account number, date of service, admission and discharge dates, physician and laboratory blood test results.10. Review of the hospital's documents showed the HCO was made aware a breach of Patient J's PHI occurred at the hospital's offsite clinic on 12/4/13.On 12/4/13, a staff handed the laboratory blood test results document to a person who stated he was a friend/boyfriend of Patient J. The staff had no authorization from Patient J to give any documents of her medical record to that person.Patient J's disclosed PHI included name, DOB, address and two blood test results that were within normal limits.On 2/27/14 at 0900 hours, a telephone conference call with the HCO confirmed the breaches of PHI occurred as documented.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280