PLACENTIA LINDA HOSPITAL

Report ID: 4KDR11, California Department of Public Health

Reported Entity: PLACENTIA LINDA HOSPITAL

Issue:

Based on interview and hospital document review, the hospital failed to prevent the disclosure of 15 patients' (Patients J, K, L, M, N, O, P, Q, R, S, T, U, V, W and X) protected health information (PHI) to unauthorized individuals. In addition, the hospital failed to prevent the disclosure of 46 patients' who's PHI was found loose in a United States Post Office bin.Findings:1. On 1/6/12, the hospital was made aware a breach of PHI regarding Patient J occurred on 12/5/11 at 1050 hours.The hospital's investigation showed on 12/5/11, a fax was incorrectly dialed. Laboratory results belonging to Patient J were inadvertently sent to a private residence instead of the intended physician's office. The hospital was notified by a private citizen on 1/6/12 at 1050 hours, that he had received Patient J's information on a private residence fax. The PHI on the laboratory results disclosed Patient J's name, date of birth (DOB), age, gender, medical record number, specimen number, physician name and allergy results.2. On 2/13/12, the hospital discovered a breach of Patient K's PHI occurred. The hospital's investigation showed on 2/11/12, staff entered the incorrect health plan into the patient's account. Patient K's face sheet was faxed to the wrong insurance health plan for insurance verification. The hospital was made aware when the Admitting Supervisor called the health plan for verification.The face sheet disclosed Patient K's PHI including name, address, social security number (SS#), medical record number, DOB, attending physician, diagnoses and room number to unauthorized persons.3. On 2/21/12, the hospital discovered a breach of PHI belonging to Patients L, M and N occurred.The hospital's investigation showed on 2/3/12, an insurance verifier from the Admitting Department hand delivered two packages, separated by rubber bands with two separate Fed Ex labels, to a receiving clerk in Materials Management. One of the packages contained the medical records of two patients to be sent to the California Child Services (CCS) insurance company. The other package contained the medical records belonging to Patients L, M and N, to be sent to Medi-cal. The Admitting Department staff asked the Materials Management receiving clerk to send the packages.On 2/21/12, the insurance verifier from the Admitting Department received a package from the CCS insurance company. The package contained the medical records belonging to Patients L, M and N that were intended to be sent to Medi-cal. The PHI belonging to Patients L, M and N included name, address, medical record and hospital numbers, DOB, SS#, attending physician, insurance information, diagnosis, all hospitalization records of tests and health professional notes.4. On 2/21/12, the hospital's Compliance Officer received a call from a private citizen to report the receipt of a three page laboratory report via fax. The private citizen stated the faxed laboratory report belonged to Patient O. The hospital's investigation showed the breach of Patient O's PHI occurred due to a systems error with the auto-fax. The auto-fax phone server inserted an extra digit into the middle of the number which dropped off the last digit of the number. The error resulted in the PHI belonging to Patient O disclosed to an unauthorized person instead of the intended physician's office.5. On 2/20/12, a patient had been inadvertently given the discharge instructions belonging to Patient P.The hospital's investigation showed a registered nurse (RN) using the computer accidentally clicked onto Patient P's clinical record to develop discharge instructions for another patient. The receiving patient noticed the error and returned Patient P's discharge instructions to the RN. The PHI belonging to Patient P included name, address, DOB, medical record number, hospital account number, phone number and one medication that was disclosed to an unauthorized person. 6. On 3/7/12, the hospital discovered an auto-fax of Patient Q's Magnetic Resonance Imaging (MRI) results was inadvertently sent to an unintended physician. The hospital's investigation showed, based on the volume of patient business and physician requests, non-staff physicians were entered into the Cerner Clinical system. This was done in order for them to receive an auto-fax of their patients' results as soon as the results were finalized. The physician chosen to receive Patient Q's MRI results was correct in the Cerner Clinical system; however, the fax number was incorrect. This was discovered as the intended physician called the Imaging Center of the hospital on 3/7/12, requesting results of Patient Q's MRI.Patient Q's MRI results were faxed to an unintended recipient.7. On 3/28/12, the hospital received an envelope from the United States Postal Service (USPS labeled, "found loose in the mail." The envelope contained 58 face sheets and electrocardiogram (EKG) reports belonging to 46 patients.The hospital's investigation showed a staff person in the Cardiology Department had an inconsistent process for mailing patient information. The staff member sometimes only used the clasp and did not moisten the flap or use tape to seal the manila envelopes.The PHI on the face sheets and EKG reports disclosed the patients' name, DOB, SS#, medical record and hospital account numbers, address, phone number, physician name, insurance information, chief complaint for service, and the EKG strips.8. On 3/30/12, the hospital was made aware a breach of PHI occurred on 3/26/12, involving Patient R. Patient R's mammogram results on a CD were inadvertently given to the wrong patient on 3/26/12. The patient's name, DOB and medical record number were disclosed.9. On 4/9/12, a hospital staff in the Admitting Department self-reported she faxed Patient S and Patient T's face sheets to the wrong insurance company. The PHI disclosed included names, DOB, age, gender, race, social security number, address, physician name, emergency contact information, insurance carrier and chief complaint for service. In addition, the numbers for phone, medical record and hospital accounts were disclosed.10. On 4/13/12 the hospital was made aware a breach in Patient U's PHI occurred. The hospital's investigation showed on 4/11/12, Patient U's PHI, in the form of discharge instruction papers, were accidentally given to another patient discharged from the same care area.The PHI disclosed to unintended persons included Patient U's name, DOB, address and the numbers to the medical record, telephone and hospital account.11. On 4/23/12, the hospital was made aware Patient V's PHI was disclosed to unintended persons.On 4/23/12, a hospital staff sent a spreadsheet via e-mail to the wrong company's internal analytics department. The spreadsheet included PHI belonging to Patient V. The PHI disclosed included Patient V's name, account number and account balance.12. On 5/2/12 the hospital was made aware a hospital staff inadvertently breached the PHI of Patient W. The hospital's investigation showed on 4/28/12, while retrieving the discharge instructions from the printer for another patient, a staff accidentally picked up the EKG report belonging to Patient W. The discharged patient was sent home with Patient W's PHI. The PHI disclosed Patient W's name, DOB, gender, physician name, hospital account number and medical record number.13. On 5/4/12, the hospital was made aware the PHI of Patient X was sent via fax to a private citizen.The hospital's investigation showed a staff inadvertently faxed Patient X's face sheet to a private citizen instead of the intended receiving hospital. The PHI disclosed included Patient X's name, DOB, SS#, medical record and hospital account numbers, address, physician name and chief complaint for service.On 5/22/12 at 1500 hours, a conference call with the Hospital Compliance Privacy Officer confirmed the breaches occurred as documented.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280