CONTRA COSTA REGIONAL MEDICAL CENTER

Report ID: V56D11.01, California Department of Public Health

Reported Entity: CONTRA COSTA REGIONAL MEDICAL CENTER

Issue:

Based on interview and record review, the hospital failed to protect the confidential medical information of two patients {Patient30 (CA00326661), and Patient33 (CA00327922)} of 16 patients reviewed, as evidence by:1. Patient31 receiving the After Visit Summary pertaining to Patient30 (CA00326661);2. Patient32 receiving a Diagnostic Imaging CD pertaining to Patient 33(CA00327922);These failures caused patients loss of dignity and privacy, and placed them at risk for identity theft.Findings:Review on 10/22/12 of facility policy "Confidentiality of Patient/Client Information", dated 12/1991and revised 6/2010, showed that the policy instructed staff that While individuals are patients/clients of the hospital it is each employee ' s obligation to contribute to the provision of care in an environment that protects the patient ' s/client ' s right to privacy, and to accomplish this all observations and or verbal, written, pictorial or photographic communications regarding patients/clients, in the absence appropriate authority to access or release that information, should be safeguarded as confidential. The policy instructed staff that each employee is responsible for keeping patient/client information confidential and that employees may not access, discuss or reveal any patient/client medical information without proper written authorization from the patient. The policy instructed staff that employees shall only have access to patient/client information as needed to carry out their specific job duties. The policy further instructed staff that employees will only discuss a patient ' s medical condition with those individuals authorized by the patient.Review on 10/22/12 of facility policy "Safeguarding Protected Health Information", dated 4/14/2003 and revised 7/01/2010, showed that the policy instructed staff that the facility must have appropriate technical and physical safeguards to reasonably protect health information from intentional or unintentional unauthorized use or disclosure. The Policy instructed staff to safeguard Protected Health Information stored in paper format by ensuring that files and documents are stored in locked desks, rooms or storage containers and that each work place will ensure that files and documents awaiting disposal or destruction are in appropriately labeled containers and all reasonable measures are taken to minimize access. The policy instructed staff that Role Based Access will be created and defined for each work force member based on their need for the minimum necessary computerized information to perform their job. The policy also instructed that each computerized information system holding protected health information has a defined data " owner " who is the manager responsible for its contents and that each owner will review and approve all access requests based on roles. The policy further instructed staff that knowledge of a violation or potential violation of this policy must immediately be reported directly to either the Privacy Officer or the Security Officer.1. On 10/22/12, the CPO (Compliance/Privacy Officer) stated that on 8/28/12, LVN-A (licensed vocational Nurse) gave an " After Visit Summary " to Patient31 that pertained to Patient30. The CPO explained that LVN-A discovered the error later the same day and called Patient31 to tell her the correct after visit information. The CPO further explained that the " After Visit Summary " contained Patient30 ' s name, medical record number, name of the primary care provider, reason for the visit, diagnosis, vital signs/ measurements, Patient instructions for therapy referral, current medication list, new medication orders, to do list, future appointment list, insurance carrier, member ID number and social security number.Review on 10/22/12, of a photocopy of the " After Visit Summary " showed three pages that included Patient30 ' s name, medical record number, name of the primary care provider, reason for the visit, diagnosis, vital signs/ measurements, Patient instructions for therapy referral, current medication list, new medication orders, to do list, future appointment list, insurance carrier, member ID number and social security number.2. On 10/22/12, the CPO stated that on 9/27/12, Clerk-O witnessed Patient32 complete and sign an authorization release form and the forwarded that form to Clerk-M telling her that the patient was waiting. Clerk-M prepared the CD (compact disc) of Medical Images and gave it to Patient32. Patient32 returned the disc later the same day stated it was labeled with Patient33 ' s name and contained Patient33 ' s images. The CPO explained that Clerk-M had prepared two CD ' s one for Patient32 and one for Patient 33 and had given the CD to Patient32 without confirming that it was labeled with Patient32 ' s name and contained Patient32 ' s images.Review on 10/22/12, of a photocopy of the CD label showed that the label included Patient33 ' s name, date of birth, medical record number and " Studies 05-19-2010:US-Breast, Lt side of body. "Review on 10/22/12 of facility policy "Release of Medical Imaging Records", showed that the policy instructed staff to release Medical Imaging Records to the Patient or Patient ' s legal representative after a Diagnostic Imaging Department Authorization to Disclose Medical Information -XR5 form is obtained. The policy instructed staff that once the XR5 form is obtained Diagnostic Imaging staff will follow the CD Media Guideline for preparing the CD. The policy further instructed staff to open the CD and cross reference it to the XR5 form to ensure the correct exam is recorded and to cross reference the CD to the XR5 to ensure the patient information imprinted on the front of the CD is correct prior to forwarding it to the patient or medical facility.

Outcome:

Deficiency cited by the California Department of Public Health: Medical Record Availability

Related Reports:

The report containing this deficiency also includes information about 3 other violations. Note that these may be related to the same event: V56D11.02, V56D11.03, V56D11.04