HospitalInspections.org

Based on interview and record review, the facility failed to protect Patient A's medical information. This resulted in the unauthorized release of Patient A's protected health care information.

Findings:

During a telephone interview with the privacy officer on 3/20/12 at 8:33 AM, she stated, "The number posted on the board was wrong. It went to a company in New Hampshire. They do not know who posted the number. Nothing was supposed to be posted without the department heads approval. Also the initials and date of the person posting it. The fax should have a verification sheet first and the number double checked with a second person."

The Protected Health Information of Patient A's that was released included:
a. Name
b. Medical Record Number
c. Date of Birth
d. Date of Service
e. Attending physicians name
f. Diagnosis

The policy and procedure titled "Sending Protected Health Information by Fax" dated 4/9/10, indicated, "Policy:
2. Prior to faxing PHI (Protected Health Information), Hospital 1's personnel must either:
a. Verify the fax number as being accurate and correct for the intended recipient, or
b. Utilize a preprogrammed Fax number by accessing the number memory of the Fax machine or faxing program.
3. Verification of a Fax number must be done through one of the following means.
a. Contacting the attended recipient (or the recipient's office personnel) and reading back the number to that individual.
b. Sending a test Fax asking for the recipient to send a verification Fax back."