HospitalInspections.org

Based on interview and record review, the facility failed to maintain confidential the personal health information (PHI) of Patient A, when his clinical laboratory results were inadvertently faxed to a private party instead of the intended medical provider. This resulted in a breach of his PHI.

Findings:

On 5/15/12 at 9:20 AM, an investigation was initiated regarding an entity reported incident of a possible breach Patient A's PHI. According to the facility's self report on 5/1/12, Patient A's PHI had been inadvertently sent to a fax number belonging to a private party instead of to the medical company it was intended to be sent for to be reviewed.

During an interview with the facility Health Insurance Portability and Accountability Act (HIPAA) and privacy officer on 5/15/12 at 9:45 AM, she explained how the breach occurred. " On 5/1/12 at 12:44 PM the emergency room (ER) was going to admit Patient A because the physician (MD) had determined he was unstable for transfer. The case manager (CM) from the insurance company contacted the nurse in the ER and requested all clinical laboratory results be faxed to her and the fax number she had provided was repeated back by the nurse, and confirmed. Approximately 30 minutes later one of the ER techs received a call from a women stating she had received the faxed information on her home fax number. The woman's stated she had received multiple faxes for this same company from different hospitals. The ER tech then phoned the CM at the company and again verified the fax number. The CM confirmed the number given was given incorrectly and it was the first number in the prefix that was different".

A review of the data sent, which included four pages of various laboratory results, showed Patient A's name, date of service, date of birth, account number, medical record number, hospital name, physician's name and admission status on each form. This was a breach of Patient A's PHI.