Mercy Medical Center

Report ID: 8MS311, California Department of Public Health

Reported Entity: MERCY MEDICAL CENTER

Issue:

Based on staff interview, clinical record and administrative document review, the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's patient identification label was put on a prescription given to Patient 2. (CA00321797)2. Patient 3's history and physical was given to Patient 4. (CA00323842)3. A clip board containing Patients 5-28's PHI was left at the bedside of a patient. (CA00334476)These failures placed Patient 1,3, and 5-28's PHI at a potential for unauthorized use.Findings:CA003217971. On 7/25/14 at 10:25 a.m., during an interview, the Privacy Officer (PO) stated Patient 1's patient sticker was attached to a prescription given to Patient 2. The PO stated the Doctor of Osteopathic Medicine (DO) did not check the patient name on the prescription per facility policy.The PHI disclosed included Patient 1's name, medical record number, and date of birth.The facility policy and procedure titled, "HIPAA Sanctions for Breach of Patient Privacy or Confidentiality" dated 11/2007, indicated "1. Policy...Medical records, business records, and other confidential records are 'highly confidential' and must be protected from improper use and disclosure...."CA003238422. On 7/25/14 at 10:37 a.m., during an interview, the Privacy Officer (PO) stated Patient 3's wound care follow up history and physical, service date of 8/9/2012, was given to Patient 4. The PO stated the Health Information Management Technician (HIMT) did not check the names on all documents before giving Patient 4 his records.The PHI disclosed included Patient 3's name, medical record number, date of birth, diagnosis, treatment, medical history, and physician notes.The facility policy and procedure, titled, "HIPAA Sanctions for Breach of Patient Privacy or Confidentiality" dated 11/2007, indicated "1. Policy...Medical records, business records, and other confidential records are 'highly confidential' and must be protected from improper use and disclosure...."CA003344763. On 7/25/14 at 10:45 a.m., during an interview, the Privacy Officer (PO) stated Registered Nurse 1 left a clipboard in Patient 27's room. The clipboard contained a work sheet (a facility printout listing patient room, name, account number, unit number, admit date, age, sex, attending physician, and diagnosis) with Patient 5-28's PHI. Patient 27's spouse took the clipboard to the nurse's station. Patient 27 indicated to the facility staff she saw her uncle's name on the work sheet and wanted to know what room he was in. The PO stated RN 1 should not have left the clip board in a patient room.The PHI disclosed included Patient 5-28's name, account number, age, and diagnosis.The facility policy and procedure titled, "HIPAA Sanctions for Breach of Patient Privacy or Confidentiality" dated 11/2007, indicated "1. Policy...Medical records, business records, and other confidential records are 'highly confidential' and must be protected from improper use and disclosure...."The facility policy and procedure titled, "(HIPPA) Regulation, Release of Information in Accordance with State and Federal" dated 04/94, indicated, "1. Policy...The medical record is the property of the hospital and is maintained for the benefit of the patient, the medical staff and the hospital. It is the responsibility of the hospital to safeguard the integrity of content and the physical property of the patient chart, both paper and electronic, against loss.... IV. Guidelines: A Confidentiality of Medical Records/Protected Health Information (PHI)...2. Nursing units maintain records of currently hospitalized patients (current and previous records) and is responsible for securing these records from unauthorized access or viewing...."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights