SANTA CLARA VALLEY MEDICAL CENTER

Report ID: 7RWF11.01, California Department of Public Health

Reported Entity: SANTA CLARA VALLEY MEDICAL CENTER

Issue:

Based on interview and record review, the hospital failed to prevent the unauthorized disclosure of patient health information (PHI) for two of three sampled patients (1 and 3), when: 1. Patient 1's medication was given to Patient 2; and 2. The hospital provided an outside entity PHI for Patient 3 outside the date range requested. The failure resulted in the disclosure of Patient 1's PHI to an unauthorized individual and excess disclosure of PHI for Patient 3. Findings:1. The California Department of Public Health received a faxed report on 11/1/13 which indicated on 10/28/13 Patient 1 went to the hospital affiliated pharmacy to pick up his prescription medication. Pharmacy staff discovered Patient 1's medication had already been picked up by Patient 2 on 10/25/13. During an interview on 8/20/14 at 2:50 p.m., the pharmacy assistant director (PAD) stated Patient 1 went to the hospital affiliated pharmacy to pick up his prescription medication. The pharmacy staff looked at the signature log and realized it had been given to Patient 2. PAD stated the pharmacy technician (PT) had checked Patient 2's identification, then went to the locked cabinet for the medication and inadvertently grabbed the wrong medication bottle. When PT returned to her computer, Patient 2's information was no longer on the screen. PAD stated PT then used the information from the medication label in her hand and accessed Patient 1's information instead of Patient 2's, because she had inadvertently grabbed the wrong medication bottle. PAD stated PT scanned the barcode on the medication bottle and gave it to Patient 2. PAD then stated the label on the medication bottle disclosed Patient 1's name, medication, directions for taking the medication, prescription number, and pharmacy name.During a telephone interview on 8/20/14 at 3:10 p.m., PT stated she had asked Patient 2 for two patient identifiers, then went to the locked cabinet in the back of the pharmacy to get Patient 2's medication. PT stated when she returned to the computer she scanned the barcode on the medication bottle, but it would not scan, because while PT was away from the computer another staff member had erased Patient 2's profile from the computer. PT then stated she used the information on the medication bottle to access the patient's information, but since she had inadvertently grabbed the wrong medication bottle Patient 1's information came up on the computer. PT stated she compared the information on the medication bottle to the information on the computer and handed the medication bottle to Patient 2. PT stated she was not aware she had given Patient 2 the incorrect medication until her manager informed her.A review of a copy of a letter from the hospital to Patient 1, dated 11/1/13, indicated on 10/28/13, the hospital affiliated pharmacy staff had inadvertently handed Patient 1's bottle of medication to Patient 2, disclosing Patient 1's name, prescription, medication name, strength, and dosing instructions.2. The California Department of Public Health received a faxed report on 9/19/13, which indicated on 9/16/13 the hospital was notified by their business associate (BA), the BA had mailed medical records outside the authorized requested date range.During an interview on 8/20/14 at 11:20 a.m., the ethics and compliance officer (ECO) stated the BA had received a request for medical records for Patient 3 from 5/30/13 through 8/14/13. ECO stated the requested medical records were mailed along with medical records prior to the dates requested. ECO stated the medical records recipient (the recipient was not Patient 3) notified the BA on 9/4/13, they had received medical records outside of the requested date range. During an interview on 8/20/14 at 1:20 p.m., a BA customer service representative (CSR) stated she had spoken with the recipient of the medical records who had requested medical records for Patient 3 from 5/30/13 to the present (8/14/13). CSR stated the recipient had stated she had received medical records which were prior to the requested dates.A review of a copy of Patient 3's medical records which were inadvertently mailed by the BA indicated X-ray results from 5/9/12 and 3/25/13, a history and physical from 7/5/12, ambulatory care progress notes from 7/5/12, 10/22/12, 5/29/13, and laboratory results from 5/29/13, had been disclosed.A review of a copy of a letter from the hospital to Patient 3, dated 9/19/13, indicated the hospital's BA had mailed part of Patient 3's medical records which was not part of the requested date range. The unauthorized disclosure of PHI included visit planning for 5/29/13, ambulatory progress notes for 5/29/13, 10/22/12, 7/5/12, and laboratory results for 5/29/13.A review of a copy of the BA's undated "Quality Steps" indicated, verify the correct record has been pulled to fulfill request, and records match the request.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

The report containing this deficiency also includes information about 1 other violation. Note that these may be related to the same event: 7RWF11.02

3 other violations reported on the same date. Note that other citations may be about the same event: 80V211.01, CKZM11.01, CKZM11.02