HospitalInspections.org

Based on interview and record review, the facility failed to protect the privacy of 1 patient (Patient A), by failing to ensure that Patient A's confidential medical records and personal information was not released to unauthorized people. This breach of privacy caused Patient A's medical information, and personal information such as social security number and home address, to be released to the wrong insurance company.

Findings:

A visit was made to the facility on 7/26/12, at 3:45 PM, to investigate a self-reported breach of Patient A's information.

During an interview with the Director of Health Information Management (DHIM) on 7/26/12, at 4:00 PM, she stated that Patient A was seen in the emergency room (ER) on 7/5/12. An insurance claim form containing Patient A's medical and personal information was sent after the ER visit to the wrong insurance company. The incorrect insurance company notified the facility on 7/16/12 that they received the insurance claim form in error for Patient A.

Record review on 7/26/12, at 4:00 PM, of Patient A's information that was submitted to the wrong insurance company included the the following:

a. Patient A's name
b. Patient A's medical record number
c. Patient A's admission date
d. Patient A's medical diagnoses
e. Patient A's date of birth
f. Patient A's home mailing address and phone number
g. Patient A's age, sex, race and marital status
h. Patient A's Social Security Number
i. Phone numbers and addresses of Patient A's relatives

The facility's policy and procedure titled "Confidentiality" dated 2/2003, indicated, "The purpose of this policy is to protect the patient, the clinical team and the facility from the inappropriate use and dissemination of individually identifiable health information."