SAINT AGNES MEDICAL CENTER

Report ID: 42UR11, California Department of Public Health

Reported Entity: SAINT AGNES MEDICAL CENTER

Issue:

Based on staff interview, clinical record and administrative document review the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's Electrocardiogram (ECG) report was faxed to a private citizen's home rather than the intended party.2. Patient 2's medical records were faxed to a private citizen's home rather than the intended party.This failure placed Patient 1 and Patient 2's PHI at potential risk for unauthorized use.Refer to CA003164891. On 8/20/12 at 10:25 a.m., Staff 1 (Privacy Officer) stated on 6/29/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Patient 1's ECG report was mistakenly faxed to a private citizen's home. Staff 1 stated it was the staff's responsibility to ensure all faxed transmissions were sent to the correct destination.The Patient 1's ECG report contained the following PHI: Patient name, date of birth, date of service, medical record number, account number, address, phone number and ECG results.The facility's policy and procedure titled " Privacy and Confidentiality Policy," dated 9/17/09, indicated "...all modes and methods of communication including but not limited to verbal, electronic, manual, automated, computer, facsimile, telephone, voice mail, electronic mail and any and all other forms of communication. The sender of the information must ensure that only the intended recipient(s) will have access to the information. Particular care must be taken when sending confidential information electronically, such as computer, fax machine, electronic mail, or voice mail. ...Confidential information sent via facsimile requires special precautions. The sending party should always verify the correct fax number before sending a fax. It may be necessary to ensure that a particular individual is available to receive a fax transmission to ensure confidentiality." Refer to CA003178912. On 8/20/12 at 10:25 a.m., during an interview, Staff 1 stated on 7/10/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 2 (Social Services) mistakenly faxed Patient 2's medical record to a private citizen's home. Staff 1 stated it was Staff 2's responsibility to ensure all faxed transmissions were sent to the correct destination.Patient 2's medical records contained the following PHI: Patient name, date of birth, address, phone number, date of service, medical record number, account number, medical and social history, diagnosis, treatment, medication prescribed and general care instructions.The facility's policy and procedure titled " Privacy and Confidentiality Policy," dated 9/17/09, indicated "...all modes and methods of communication including but not limited to verbal, electronic, manual, automated, computer, facsimile, telephone, voice mail, electronic mail and any and all other forms of communication. The sender of the information must ensure that only the intended recipient(s) will have access to the information. Particular care must be taken when sending confidential information electronically, such as computer, fax machine, electronic mail, or voice mail. ...Confidential information sent via facsimile requires special precautions. The sending party should always verify the correct fax number before sending a fax. It may be necessary to ensure that a particular individual is available to receive a fax transmission to ensure confidentiality."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights