MILLS-PENINSULA MEDICAL CENTER

Report ID: XI0S11.01, California Department of Public Health

Reported Entity: MILLS-PENINSULA MEDICAL CENTER

Issue:

Based on interview and record review the facility failed to ensure that Protected Health Information (PHI) for 22 sampled patients were secured when: 1. For 19 Patients, (Patients 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18, and 19) the mammogram (is a test performed to examine breast tissue ) reports were accidentally faxed to a clinic in the community not involved with their medical care.2. For Patient 20, the two forms of PHI documents (Women's Center and Breast Center Services forms) were faxed to an unintended health care provider who worked within the facility network, but, was not involved in the care of Patient 20.3. For Patient 21, a letter containing her mammography screening results was accidentally mailed to the unintended recipient.4. For Patient 22, the Treatment Authorization Request (TAR - a form needed to pre-approve funding for treatment) ) form for speech therapy was inadvertently faxed to the wrong health insurance provider. This deficient practice resulted in the disclosure of the PHI for 22 patients to the unintended recipients and possible unauthorized use.Findings:1. During a review of the facility letter sent to the State Agency (SA is the California Department of Public health -CDPH) dated 3/26/14, it indicated: "On March 21, 2014 the XXX (name of the facility), discovered that 19 patients mammography reports were mistakenly faxed to the XXX (name of the community clinic) medical clinic ... . We learned of this issue when the XXX (name of the community clinic) medical clinic let us know that the paper work did not belong to any of their current patients."In an interview with the Privacy Officer (PO) on 5/8/14 at 3:57 p.m., PO stated that the mammogram reports were faxed to the "wrong medical clinic".In an interview with the Manager of the Women Center (MWC) on 5/8/14 at 4:00 p.m., MWC stated that the facility staff received a phone call from the community medical clinic requesting mammogram results. MWC continued to state that "it was confusing for the staff to keep track of which clinic the results should go to". MWC stated that the facility had now implemented that, a written request must be received by the facility prior to faxing results. Review of the breached documents titled Women's Center form showed the following: Name of the 19 Patients, their date of births, phone numbers, medical record numbers, location of treatment, date of service, patient history, assessment results, recommendations and the electronic signature of the physician.2. During a review of the facility letter sent to the State Agency (SA is the California Department of Public health -CDPH) dated 3/27/14, it indicated: "On March 21, 2014 XXX (name of the facility) discovered that a request for a physician's order was accidentally faxed to the wrong physician on March 19, 2014. We discovered the error when the physician who received the request called XXX (name of the facility) to inform us that the request did not belong to any of her patients."In an interview with the Privacy Officer (PO) on 5/8/14 at 3:40 p.m., PO stated that the documents was sent to another physician in the facility network, the staff "inadvertently chose the wrong physician". PO further stated that the unintended health care provider, who was not involved in the care of Patient 20, had the same first and last name of the intended health care provider.Review of the faxed document showed the following: 1. Breast Center Services form: Name of Patient 20, date of Birth (DOB), age, Medical Record Number (MRN), account number, 2. Women's Center form: Name of Patient 20, DOB, phone number, MRN, Procedure report of the ultrasound biopsy right breast, pathology result and the electronic signature of the health care provider.Review of facility Policy and Procedure titled: Facsimile (fax) Transmission of Medical Records, Dated 5/97, Last reviewed: 10/12. II. Procedure: A. Faxing protected health information: 1. The fax number must be verified. it is to be read back if given verbally. 2. If requester of the fax is unfamiliar/unknown, verify his/her identity and the correct fax number by calling him/her back. 8. Care should be taken to assure the fax transmission is sent to the appropriate destination. ... "3. During a review of the facility letter sent to the State Agency (SA is the California Department of Public health -CDPH) dated 3/21/14, it indicated: "On March 14, 2014 XXX (name of the facility) discovered that a letter containing a patient's mammography screening results from March 7, 2014 was accidentally mailed to the wrong patient". In an interview with the Privacy Officer (PO) on 5/8/14 at 3:25 p.m., stated the facility staff who did the mailing process, placed two reports in one envelope that had the mammogram result for Patient 21. PO further stated that the patient who received the report, sent the letter back to the facility.Review of the breached document titled Women's Center showed the following: Name of Patient 21, home address, date of service, medical record number, result of the mammogram screening and name of her health care provider.4. During a review of the facility letter sent to the State Agency (SA is the California Department of Public Health -CDPH) dated 3/12/14, it indicated: "On March 5, 2014 XXX (name of the facility) discovered that paperwork relating to a patient's speech therapy treatment was accidentally faxed to the wrong health insurance company on March 4. 2014. We learned of this issue when the health insurance company that received the information in error contacted XXX (name of the facility) ... " .In an interview with the Privacy Officer (PO) on 5/8/14 at 3:25 p.m., PO stated that Patient 22's Speech Therapy completed the TAR document to get authorization from Patient 22's health insurance. PO continued to state that the completed TAR document was faxed by the facility staff, a receptionist, who selected the "wrong insurance" . Review of the faxed document showed the following: 1. TAR - Outpatient (50-1) Form: Name of Patient 22, home address, phone number, age, sex, Date of Birth (DOB), MC (Medi-Cal) Identification no., diagnosis description, specific services requested and the signature of the provider.2. Pediatric Speech Therapy Form: Name of Patient 22, medical record number, sex, DOB, age, date of service, name of the health care provider. Background Information that showed: Family/ Medical Developmental History: Findings and Observation that showed: Language comprehension/ language expression, Articulation, Oral motor examination, Voice fluency, Diagnosis/impressions, Prognosis, Summary and Recommendations, Goals of therapy and the signature of the provider.Review of the facility policy and procedure titled: 1. Workforce Confidentiality and Privacy, Policy Stat ID: 429110, 13-810. Effective date: 5/1/98, Last revised 3/18/13, Policy Area: Privacy & Security. POLICY: It is the policy of ...that all members of the ... safeguard and protect Confidential information and that members of the ... acknowledge their obligation to follow ...information privacy and security policies ...PROCEDURE: 2. Safeguarding Confidential Information: a.Workforce members are obligated to protect and safeguard Confidential Information, regardless of format ... . DEFINITIONS: 17. "Unauthorized" ... means the inappropriate access, review or viewing pf patient Medical Information without a direct need for medical diagnosis, treatment ... use or disclosure of medical Information " . 2. Reporting Privacy Incidents to Individuals and Government Agencies, 13-806, 13-810, Policy Stat ID: 445994, Effective date: 9/1/09, Last revised: 2/1/12, Policy Area: Privacy &Security. H. Definitions: 12. Personal Information ... means an's first name or first initial and his or her last name in combination with any one or more of the following data elements, ... c. account number, ... d. medical information which means any information regarding an individual's history, mental or physical condition, medical treatment or diagnosis by a health care professional". 14. Protected Health Information or PHI means individually identifiable health information, including demographic information collected from an individual, ... that identifies the individual ... to which there is a reasonable basis to believe the information can be used to identify the individual".

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

The report containing this deficiency also includes information about 1 other violation. Note that these may be related to the same event: XI0S11.02