SUTTER SANTA ROSA REGIONAL HOSPITAL

Report ID: R3EV11, California Department of Public Health

Reported Entity: SUTTER SANTA ROSA REGIONAL HOSPITAL

Issue:

Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of three patients' (Patient 1, Patient 3 and Patient 5) medical information when: A) Patient 1's medical information was sent to the wrong medical provider, B) Patient 3's medical information was sent to the wrong patient, and C) Patient 1's medical information was confirmed, by telephone, with the wrong company These failures allowed the unlawful or unauthorized access to three patients' medical information. Findings:#1 CA00326512The California Department of Public Health was notified on 9/20/12 that a, "Breach of Protected Health Information (PHI)", occurred on 7/7/12.During an interview on 10/24/12 at 9:30 a.m., Administrative Staff A stated that the facility's Health Information Management department received a phone call, on 9/13/12 from the office of Patient 2's Physician, indicating that a medical clearance evaluation report, for an Outside Facility, was sent through the facility's computer Epic System, in error, to them instead of Patient 1's physician. Administrative Staff A further stated that it was human error, on the part of Unlicensed Staff B as the names were identical but with different ages and no middle names were included, at that time, in the medical record.Review of the letter sent to Patient 1(9/20/2012) advising her of the PHI breach confirms there had been a breach of her PHI to Patient 2's Physician.A review of the facility Policy and Procedure for, "Patient Identification" (9/11), reveals the following: "I. POLICY In situations where an ID band is not used, the patient's name and birthdate will be used as the two patient identifiers...E. Two patient identifiers are utilized to assure safe provision of care and treatment services. 1. Prior to documentation, writing orders, transcribing orders, computer entry etc...3. Prior to all procedures, treatments, medication administration, care and services...G. Like name alert 1. Each department has a system in place to alert department staff about patients with similar names".A review of the facility Policy and Procedure for, "Patient's Rights: Use and Disclosure of Protected Health Information For Treatment, Payment, and Healthcare Operations" (6/12), reveals the following: "PROCEDURES A...1. Definition of Treatment a...Treatment includes consultation between providers about an individual patient, patient referral for healthcare from one provider to another, and for coordinating the care of an individual patient among one or more providers...C...5...b. Substance Abuse Records Covered by the Federal Substance Abuse Regulations 1. Information may be disclosed to medical personnel who need the information to treat a condition which poses an immediate threat to the health of the patient and which requires immediate medical intervention. 2. The disclosure should be documented in the patient's medical record and should include the name and affiliation of the medical personnel to whom disclosure was made, the name of the individual making the disclosure, and the nature of the emergency".# 2 CA00326518The California Department of Public Health was notified on 9/20/12 that a, "Breach of Protected Health Information (PHI)", occurred on 7/26/12.During an interview on 10:00 a.m., Administrative Staff A stated that she received notification, on 9/19/12 from the facility's Health Information Management department, indicating that a Family Medical Leave (FMLA) letter, for Patient 3's family, had been sent in error to Patient 4 by Unlicensed Staff B on 7/26/12.Administrative Staff A further stated that it was human error, on the part of Unlicensed Staff C as the names were identical with the exception of one added letter.Review of the letter sent to Patient 3 (dated 9/20/2012) advising her of the PHI breach confirms there had been a breach of her PHI to Patient 4 on 7/26/12.Review of a facility Corrective Disciplinary Action Notice for Unlicensed Staff C (9/20/12) reveals the following: "HIPAA Violation Specific Action/Behavior: Consolidated records of 2 separate individuals that resulted in records being sent to the wrong patient as the address of the wrong patient was overlayed".A review of the facility Policy and Procedure for, "Combining Multiple Patient Medical Record Numbers" (4/11) reveals the following: "Physical record analysis will be preformed (sic) first to confirm they are duplicate patient charts".A review of the facility Policy and Procedure for, "Employee Role-Based Access to PHI under HIPAA" (2/12) reveals the following: "Members of the facility workforce are granted access to E-PHI (Electronic Protected Health Information) based on their job function and role in the organization. The facility assigns minimum necessary access profiles to all job titles on the basis of 'need to know' and what is required to accomplish work assignments". A review of the facility Policy and Procedure for, "Patient Identification" (9/11), reveals the following: "I. POLICY In situations where an ID band is not used, the patient's name and birthdate will be used as the two patient identifiers...E. Two patient identifiers are utilized to assure safe provision of care and treatment services. 1. Prior to documentation, writing orders, transcribing orders, computer entry etc...3. Prior to all procedures, treatments, medication administration, care and services...G. Like name alert 1. Each department has a system in place to alert department staff about patients with similar names".# 3 CA00327857The California Department of Public Health was notified on 10/2/12 that a, "Breach of Protected Health Information (PHI)", occurred on 9/29/12.During an interview on 10/24/12 at 10:30 a.m., Administrative Staff A stated that she received notification, on 10/1/12 from the Wrong Company indicating that Patient 5's discharge summary to Home Health with orders for intravenous fluids had been faxed to the Wrong Company in error.Administrative Staff A further stated that it was an error on the part of Licensed Staff D as Home Health had given her the wrong fax number.Review of the letter sent to Patient 1(dated 10/4/2012) advising her of the PHI breach confirms there had been a breach of PHI to the Wrong Company instead of to Home Health.Review of the facility Policy and Procedure for, "Facsimile (FAX) Transmission of Medical Records" (7/12 ), reveals the following: "POLICY The sensitive information contained in health records may be transmitted via facsimile (fax) when delivery through the regular mail will not meet the requesters' or senders' needs, such as for patient care, certification for payments, or other legitimate urgent need...PROCEDURE 6. Care should be taken to assure the fax transmission is sent to the appropriate destination".Review of a facility warning STOP sign for, "Faxing Should Be Confidential" (no date ), reveals the following: "1. YOU MUST VERIFY THE FAX NUMBER * Read back numbers (#s) given verbally. * If in doubt, call to verify number (#) before faxing".

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280