VALLEY CHILDREN'S HOSPITAL

Report ID: LLQW11, California Department of Public Health

Reported Entity: CHILDRENS HOSPITAL CENTRAL CALIFORNIA

Issue:

Based on staff interview and administrative document review the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's prescription was mistakenly faxed to a private business.2. A package containing Patient 2's PHI transcribed on a delivery ticket was mistakenly given to Patient 3's responsible party.3. Patient 4's Provider Dispute Report was mistakenly mailed to the wrong insurance company.4. Patient 5's Discharge Summary was mistakenly given to Patient 6's responsible party.These failures placed Patient 1, Patient 2, Patient 4 and Patient 5 ' s PHI at a potential risk for unauthorized use.Findings:Refer to CA003090301. On 6/13/12 at 11:15 a.m., during a telephone interview, Staff 1 (Privacy Officer) stated on 4/25/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 2 mistakenly faxed Patient 1's prescription to a private business. Staff 1 stated the prescription contained Patient 1's name, date of birth, date of service, clinical diagnosis, attending physician and medical record number.The facility policy and procedure number 1.1521, titled "PHI, Use and Disclosure" contained the following documentation: " Children ' s Hospital and its employees are committed to protect the privacy of patients' health information and to comply with applicable federal and state laws that protect the privacy and security of patients' health information. The facility policy and procedure AD-5015, titled "Facsimile Machines" contained the following documentation: "Proper and cautious use of facsimile machines is essential to protect the confidentiality of Children's Hospital patients... When confidential information is faxed to a destination number that is not pre-programmed the fax machine operator shall be responsible for double checking the accuracy of the number in the machine's display before sending the fax.....staff are strongly encouraged to follow-up the transmission with a telephone call to confirm that the receiving party did, in fact, receive the facsimile." Refer to CA003127562. On 6/13/12 at 11:15 a.m., during a telephone interview, Staff 1 (Privacy Officer) stated on 5/21/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed a package containing Patient 2's PHI transcribed on a deliver ticket was mistakenly given to the Patient 3's responsible party. Staff 1 stated the delivery ticket contained Patient 2's name, date of birth, parents name, phone number, home address and attending physician. The facility policy and procedure number 1.1521, titled "PHI, Use and Disclosure" contained the following documentation: " Children ' s Hospital and its employees are committed to protect the privacy of patients' health information and to comply with applicable federal and state laws that protect the privacy and security of patients' health information. The facility policy and procedure number PR-1016, titled " Confidentiality " contained the following documentation: " Children ' s Hospital will maintain adequate administrative, technical and physical safeguards to protect the privacy of confidential information from unauthorized use or disclosure, whether intentional or unintentional. "Refer to CA00312949 3. On 6/13/12 at 11:15 a.m., during a telephone interview, Staff 1 (Privacy Officer) stated on 5/23/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Patient 4's Provider Dispute Report was mistakenly mailed to the wrong insurance company. Staff 1 stated the Provider Dispute Report contained Patient 4's name, date of birth, date of service, medical record number and clinical diagnosis. The facility policy and procedure number 1.1521, titled "PHI, Use and Disclosure" contained the following documentation: " Children ' s Hospital and its employees are committed to protect the privacy of patients' health information and to comply with applicable federal and state laws that protect the privacy and security of patients' health information. The facility policy and procedure number PR-1016, titled " Confidentiality " contained the following documentation: " Children ' s Hospital will maintain adequate administrative, technical and physical safeguards to protect the privacy of confidential information from unauthorized use or disclosure, whether intentional or unintentional. "Refer to CA003137504. On 6/13/12 at 11:15 a.m., during a telephone interview, Staff 1 (Privacy Officer) stated on 6/3/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed, during the discharge process, Patient 5's Discharge Summary was mistakenly given to Patient 6's responsible party. Staff 1 stated the Discharge Summary contained Patient 6's name, date of birth, date of service, medical record number, clinical diagnosis, attending physician and general follow up care instructions. The facility policy and procedure number 1.1521, titled "PHI, Use and Disclosure" contained the following documentation: " Children ' s Hospital and its employees are committed to protect the privacy of patients' health information and to comply with applicable federal and state laws that protect the privacy and security of patients' health information. The facility policy and procedure number PR-1016, titled " Confidentiality " contained the following documentation: " Children ' s Hospital will maintain adequate administrative, technical and physical safeguards to protect the privacy of confidential information from unauthorized use or disclosure, whether intentional or unintentional. "

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights