DOCTORS MEDICAL CENTER

Report ID: VPFQ11, California Department of Public Health

Reported Entity: DOCTORS MEDICAL CENTER

Issue:

Based on staff interview, clinical record review, and administrative document review, the hospital failed to ensure confidential treatment of Patients 1, 2, and 4's protected health information (PHI) when:1. Patient 1's PHI was faxed to a local business and not the intended physician. (CA00382366)2. Patient 2's PHI was given to Patient 3. (CA00382677)3. Patient 4's PHI was given to Patient 5. (CA00385502)This failure resulted in unauthorized access to Patient 1, 2, and 4's PHI and the potential for abuse of that information.Findings:CA00382366:1. On 3/7/14 at 1:15 p.m., during a telephone interview, the Privacy Officer (PO) stated on 12/23/13, a hospital employee (Discharge Planner) attempted to fax Patient 1's Operative Report to his physician, but sent the report to a local business instead. The PO stated the employee should have double checked the number before sending the fax, but this was not done.Patient 1's PHI breached included his name, date of birth, medical record number, account number, physician, date of service, diagnosis, operative report, and reports for other medical procedures.The hospital's policy and procedure titled, "Transmission of Medical Records by Facsimile" dated 5/16/2012, indicated "When faxing documents . . .Verify by telephone the availability of the authorized receiver before beginning transmission. . .Verify from either the Communication/Transmission Result Report OR [Hospital] Patient Information System Audit Trail; the FAX was sent to the correct phone number."CA00382677:2. On 3/7/14 at 1 p.m., during a telephone interview the PO stated on 12/24/13, a hospital employee, (Licensed Nurse 1) included a copy of Patient 2's electrocardiogram (a print out of the heart's electrical activity) in the discharge packet given to Patient 3. The PO stated LN 1 should have double checked the paperwork before giving it to the patient, but this was not done.Patient 2's PHI breached included his name, date of birth, medical record number, account number, and diagnosis.The hospital's policy and procedure titled, "Information Privacy and Security Administration Policy" dated 9/16/13, indicated "[Hospital] Facilities must have appropriate administrative, technical, and physical safeguards to protect the privacy and security of PHI and other confidential information. The safeguards will be designed to reasonably protect PHI and other confidential information from any intentional or unintentional use or disclosure that violates federal and state regulations."CA00385502:3. On 3/7/14 at 1:30 p.m., during a telephone interview, the PO stated on 1/20/14 a hospital employee (Licensed Nurse 2) called Patient 5's family to pick up medications that had been left in the room. Patient 5's family picked up the medications and took them home where they discovered the medications belonged to Patient 4. The PO stated LN 2 should have double checked the identification on the medications, but this was not done.Patient 4's PHI breached included his name, physician, and the name and dosage of the medication.The hospital's policy and procedure titled, "Information Privacy and Security Administration Policy" dated 9/16/13, indicated "[Hospital] Facilities must have appropriate administrative, technical, and physical safeguards to protect the privacy and security of PHI and other confidential information. The safeguards will be designed to reasonably protect PHI and other confidential information from any intentional or unintentional use or disclosure that violates federal and state regulations."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights