or, t.-. document librar… · and plan of correction . identifigatjonnumber: a.amld1ns: ......
TRANSCRIPT
Ill
PRINTED 11182014 FORM APPROVED
Calffomia Deoartment of Publfo Health (X1 PROVIDEVSUPPUERGUA (X2 MULTIPLE CO[(STRUGTlON STATBllIENTOF DERCIENCIES (XS) DATE SURVEY
AND PLAN OF CORRECTION IDENTIFIGATJONNUMBER COMPLETEDAamLD1Ns cA~ 6 rr1 n r nvtA DEPARTMENT cOF PUBLIC HtALTH aw1NG middotCA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREETADORESSCrrYSTATEZlPGODttB ] l 2015 725 WELCH ROAD
LUCILE SALTER PACKARD CHILDRENS HSP1 PALOALTO CA S43M
Licensing and CertificaUon OMslon LABORATORY DIRECTORS OR PROVDERSUPPLIER REPRESENTAT
STATE FORM
(X4) ID PREFIX
TAG
A 001
A ooo
SUMMARYSTATBlEmOrOEFICIENCIES (EACH OEFtctENCY MUST BS PRECEOEO BV FUU
REGULATORY OR lSG IDENTIFYIN0 INFORMATION)
Informed Medical Breach
Health and Safety Code Section 128015 (b)(2) 0 A olinlc health facility agency or hospice shall also report any unlawM or unauthorized access to or use or discIOsura or a patients medical Information to tha affeetad patfentorttie patients representative atthe last known address no tater than five business days after-the unrawflli or unauthorized access use or disclosure has been detected by the clinic health 1acHity agency or hosplce11
The CDPH verified that the facility Informed the affected patlents or the patients representative(s of the unlawful or unauthorized access use or disclosure of the patienfs medical Information
Initial Comment
Tha following reflects tha findings of the California Department o-i Publfo Health durfng the Investigation of an entity reported incident conducted from 81814 to 102014
For Entity Reportect lnGdentCA00349367 regarding State Monltorl~acy Breach to entitles outside hospital a tata delfGiency was Identified (see California aalth and Safely Code- Sectionmiddot128015(a))
lnspeutlon was limited to1he specific entity reported incident investigated and does not represent tha findings of a full inspection of the hospital
Representing the California Department of Public Health 32398 Health FaciHties Evaluator Nurse
movtDERS p[AlfoFGORRECTIONID ACH GORREOTVEACllON SHOULD BEPREFIX
CROSampflEFERENCED T01HE APPROPRIATETAG DEFICIENCY)
AC01middot Background
Preparation andor execution of this plan of correction does not constitute admission or agreement
bull by the provider of the truth of the
t- facts alleged or conclusions set
forth on the Statement of DefidenCies This plan of
middot correction is prepared andor ~ middot executed solely because it is
required by state law
The hospital did not report to the
California Deprtment of Public AOOO Health (CDPH) that a Breach of
patient health information occurred Rather the hospital in
an abundance of caution notified CDPH within five business days of a possible incident under Health and Safety Code Section 128015 In an abundance of cautiolJ the patient was promptly notified of the incident~ but over a year and a half later the patient has not complained of any harm
(X5) COMPLETE
DATE
California Deoartment of Publlc Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
()(2) MULTIPLE CONSTRUCTION A BUILDING _______ _
(X3 DATE SURVEY GOMPLETED
CA070001349 8WIN~ c
10202014
NAME OF PROVIDER OR SUPPLIER STREETADDRESS CITY STATE ZIP CODE
725 WELCH ROADLUCILE SALTER PACKARD CHILDRENS HSP
PAlOALTO CA 94304
()lt4) ID PREFIX
TAG
Aooo
A017
SUMMARY STATEMENT OF DEFICIEfJCIES EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSD IDENTIFYING INFORMATION
Continued From page 1
The hospital detected the Breach of Patients Health Information (PHI) on 32513 The hospital reported the Breach of PHI to the Department on 4113 The hospital notified Patient 1 of the Breach of PHI on 4113
1280middot15(a) Health ampSafetyCode 1280
(a) A clfnlcmiddothealth facility homemiddothealth agency or hospice licensed pursuant to Section 1204 1250 1725 or 1745 shall prevent unlaWful or unauthorized access to and use or disclosure of patients medical Information as defined in subdivision (g) of Section 5605 of the Civil Coda and consistent With Section 130203 The department after investigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($26000) per patient whose medical Information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars ($17500) per subsequent occurrence of unlawful or unauthorized access use or disclosure of that patients medical Information For purposes of the Investigation the department shall consider the clinics health facilitys agencys or hospices history of compliance with this section and other related state and federal statutes and regulations the extentto which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurrfng and factors outside Its control that restricted the facilitys ability to comply with this section The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section
ID PREFIX
TAG
AOOO
A017
PROVIDERS PLAN OF CORRECTION (EACH COtlAEOTIVEACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
There remains no evidence of
actual inappropriate access to use
or disclosure of the patients health I
information to date The hospitals ~ thorough investigation revealed
that a single email which was
inadvertently misdirected was
recalled expeditiously and then
promptly deleted from the server
at the hospitals direction The
email was sent after normal
business hours for t~ose on the
recipient list significantly
decreasing the likelihood of accessmiddot
The limited claim information middotmostly demographic was
contained in an attachment (not
the email itself) which also
significantly reduced the likelihood
of access especially for a recalled
email The possible recipients
were other health care providers
and vendors who are legally
obligated to protect the
confidentiality of patient
information
(X6 COMPLETE
DATE
Ucenslng and Certification Division STATE FORM QDlltM11 If continuation sheet 2 of 5
PRINTED 11182014 FORM APPROVED
California Deoartment of Publlc Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIEAJCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING ________
8WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDijENS HSP bull
STREET ADDRESS CITY STATE ZlP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE
TAG REGULATORY OR LSO IDENTIFYING INFORMATION) TAG CROSS-REFERENCED TD THE APPROPRIATE DEFICIENCY)
DATE
A017 Continued From page 2
This Statute is not met as evidenced by Based on interview and record review the hospital failed to prevent the unauthorized disclosure of patient health Information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was Inadvertently emailed to a group distribution list The failure resulted in the disclosure of Patient 1 s PHI to unauthorized entitles Findings
The California Department of Public Health received a faxed report on 4113 which Indicated on 32713 a single claim form which contained Patient 1s name address telephone number insurance name and identification number diagnosis code date of birth and provider was inadvertently emailed to a group distribution list
During an Interview on 81814 at 245 pm the compllance and privacy officer CPO) stated a pharmacy senior account representative (SAR) Inadvertently emailed Patient 1s claim form on 32513 to a Llstserve The CPO stated the SAR was having problems filling out the claim form so
A017 The hospital has numerous
safeguards ii place to protect the
confidenti~lity and privacy of all
patient records and
communications Workforce
members are required to adhere to
privacy and security policies
pertaining to the protection of
patient information including
information in electronic form
The hospita ls policies and training
specifically state that Workforce
members sending email
information containing PHI should
take special precautions Policy
and training further states that
Workforce members shall provide
security for information that is
commensurate with its data
i classification level The data
classification level of PHI is
I
i
i
I
I I
I I
I I I
I
I
I
I
II
I I
I I
she had telephoned the vendor of the software program which filfs out claim forms The vendor had asked the SAR to email him the clalm form The SAR Inadvertently emailed the claim form to the vendors Listserve of about 1026 health care facilities The CPO stated the hospitals IT security staff recalled the emailed message right away but the CPO was not sure how many were actually recalled The CPO stated the hospital middotdid not have a copy of the claim form The CPO stated the claim form disclosed Patient 1s name address telephone number insurance name and
Category Confidential Highest
Sensitivity (Confidential Sensitive
Data) Policy and training also
require workforce members to
apply the minimum necessary
standard when using or disclosing
patient information
I
I I I
I
Licensing and Certification Division STATE FORM 6999 QDKM11 If contlnuatton sheet 3 of 5
California Deoartment of Publlc Health STATEMENT OF DEFICIENCIES ANO PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFIOATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILDING _______
PRINTED 11182014 FORM APPROVED
(X3) DATE SURVEY COMPLETED
CA070001349 BWrNG _________ c
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAO LUCILE SALTER PACKARD CHILDijENS HSP 1
PALO ALTO CA 94304
X4)1D PREFIX
TAG
A017
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGUIJTORY OR LSC IPENTIFYlNG INFORMATION)
Continued From page 2
This Statute Is not met as evidenced by Based on interview and record review the hospltal failed to prevent the unauthorized disclosure of patient health Information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was inadvertently emailed to a grcupdistribution list The failure resulted in the disclosure of Patient 1 s PHI to unauthorized entitles Findings
The California Department of Publio Health received a faxed report on 4113 which indicated on 32713 a slngle claim form which contained Patient 1s name address telephone number insurance name and Identification number diagnosis code date of birth and provider was inadvertently emalled to a group distribution llst
During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a pharmacy senior account representative (SAR) inadvertently emailed Patient 1s claim form on 32513 to a Ustserve The CPO stated the SAR was having problems fllllng out the claim form so she had telephoned the vendor of the software program which filrs out claim forms The vendor had asked the SAR to email him the claim form The SAR Inadvertently emailed the claim form to the vendors Listserve of about 1026 health care facilities The CPO stated the hospitals IT security staff recalled the emailed message right away but the CPO was not sure how many were actually recalled The CPO stated the hospital middotdid not have a copy of the claim form The CPO stated the claim form disclosed Patient 1s name address telephone number insurance name and
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (X5 COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTIVE ACTION SHOULD BE
DATE DElJCJENOY)
Contrary to policies procedures
and training the SAR failed to
protect patient Information in her
possession The SAR did not
adhere to policy and training that I 1require special precautions be
taken when sending email I information containing PHI nor did J
I
SAR adhere to policies and training
that require application of the
minimum necessary standard
While this was an isolated incident the hospital applied its corrective
action policy to prevent
recurrence
Policies
HIPAA Security Electronic Mail
Policy
Ill It is the policy of Lucille
Packard Childrens Hospital at
Stanford to provide electronic mail
to its workforce members to
facilitate communications within
and outside SHC with reasonable
security controls to ensure
confidentiality of ePHI and other
sensitive SHC data
Licensing and Certification Dlvlsfon STATE FORM 6899 If continuation sheet 3-of 5QDKM11
PRINTED 11182014 FORM APPROVED
California Denartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEAJCLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
X2) MULTIPLE CONSTRUCTION A BUILDING ________
X3) DATE SURVEY COMPLETED
CA070001349 B WING G
10202014
NAME OF PROVIDER OR SUPPLIER STREETADDRESS CITY STATE ZIP OODE
725 WELCH ROADLUCILE SALTER PACKARD CHILDijENS HSP 1
PALO ALTO CA 94304
X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BJ COMPLETE
TAG REGULATORY OR LSC IDENTIFYING tNFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)
A017 Continued From page 2 A017 HIPAA Use and Disclosure of
Protected Health Information
This Statute Is not met as evidenced by F When using or disclosing l
Based on interview and record review the PHI or requesting PHI from 1 hospitaIfalled to prevent the unauthorized another covered entity SHCLPCH disclosure of patient health information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was Inadvertently emailed to a group distribution llst The failure resulted In the disclosure of Patient is PHI to
will make reasonable efforts to
limit PHI to the minimum
necessary to accomplish the
middotI I
unauthorized entrtles Findings intended purpose of the use
The California Department of Publlo Health disclosure or request The
received a faxed report on 4113 which minimum necessary requirement Indicated on 32713 a single claim form which contained Patient 1s name address telephone
does not apply to certain uses or
number insurance name and ldentlficatlon disclosures including those number diagnosis code data of birth and authorized by the individual and provider was inadvertently emalled to a group distribution list those needed by a healthcare
provider for treatment purposes During an interview on 81814 at 245 pm the compliance and privacy officer (GPO) stated a pharmacy senior account representative (SAR)
HIPAA Internal Access to
Inadvertently emaired Patient 1s claim form on Protected Health Information 32513 to a Ustserve The CPO stated the SAR was having problems fllllng out the clalm form so VE1 When a user printsshe had telephoned the vendor of the software program which fills out claim forms The vendor information from a hospital
had asked the SAR to email him the clalm form information system the user Js The SAR Inadvertently emailed the clam form to the vendors Ustserve of about 1026 health care
responsible for handling patient
facilities The CPO stated the hospitals IT information confidentially security staff recalled the emailed message right protecting it from unauthorized awaybull but the CPO was not sure how many were actually recalled The CPO stated the hospital secondary disclosure middotdid not have a copy of the claim form The CPO stated the claim form dlsclosed Patient 1s name address telephone number Insurance name and
Licensing and Certification Division STATE FORM 6B9ll QDKM11 If continuation sheet tJ of5
~tgt
California Deoartment of Publlc Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1 PROVIDERSUPPLIEAJCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILDING ________
(X3) DATE SURVEY COMPLETED
CA070001349 B WING c
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDijlNS HSP 725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST Br PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD Br COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)
A017 Continued From page 2 A017 Policy Confidentiality Statement
I Understand that I am
This Statute ls not met as evidenced by responsible for protecting PHI or
Based on interview and reicord review the medical information that is sent by hospital failed to prevent the unauthorized me via facsimile andor disclosure of patient health Information (PHI) for one of one sampled patient (1 ) when a pedlatrlo electronically such as e-mail and I
patienfs (Patient 1) claim form was inadvertently am responsible for following the emailed to a group distribution llst The failure resulted in the disclosure of Patient 1s PHI to
applicable policies with respect to
unauthorized entitles Findings the transmission of PHI or medical
information and that anyThe Californla Department of Publio Health received a faxed report on 4113 which inappropriate disclosure of Indicated on 32713 a single claim form which information may make me subject contained Patient 1s name address telephone number insurance name and Identification to legal andor disciplinary action
number diagnosis code data of birth and Since the patient information was provider was Inadvertently emailed to a group distribution list contained in an attachment to the
email and the email was recalled During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a
quickly on an evening after
pharmacy senior account representative SAR) recipients normal work hours we inadvertently emalled Patient 1 s claim form on are not aware that any of the 32513 to a Ustserve The CPO stated the SAR was having problems filling out the claim form so unintended recipients actually
she had telephoned the vendor of the software program which filfs out claim forms The vendor
accessed the information
had asked the SAR to email him the claim form The SAR Inadvertently emaifed the claim form to
A single patient claim information
the vendors Ustserve of about 1026 health care was inadvertently emailed as an facilities The CPO stated the hospitals IT attachment to the email There security staff recalled the emailed message right awaybull but the CPO was not sure how many were was no patient information in the
actually recalled The CPO stated the hospital body of the email The employee middotdid not have a copy of the claim form The CPO immediately contacted hospitals ITstated the claim form disclosed Patient 1s name address telephone number insurance name and
Licensing and Certification Dfvlslon 88119STATE FORM QDKM11 CALIFORNIA DEPARTMENJt cont1nua11on sheet t of s
OF PUBLIC HEAltH ~c
FEB l 2 2015 Lamp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1) Pi=OVIDERJSUPPLIERCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ _ _ _____
CA070001349 BWING c
10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PlAN OF CORRECTION X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CJ30SS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
DATE
A 017 Continued From page 3
Identification number diagnosis code date of birth and provider
During an Interview on 102014 at 9 am SAR stated at about 430 pm she was helping a coworker with a claim form SAR stated she was on the telephone with the vendor of the software program which produces the clafm forms and the vendor had remote access to her computer SAR stated the claim form was not printing correctly so the vendor asked SAR to email the printed claim form to him SAR stated the vendor did not
A 017 Security and followed instructions
to recall the email and in the
interim sent an email instructing
recipients to delete the email The I
latter was sent within 21 minutes and the recall occurred within
approximately 45 minutes
I
I I
The hospital was in the process of I permissibly responding to a I
receive the claim form after she emailed it and they realized the form was inadvertently emailed to the vendors Listserve SAR stated she recalled the email within 30 minutes ofsending the small SAR stated the vendor company was located on the East Coast and was on Eastern Standard Time (EST) which would have been 730 pm end of business day) SAR stated most of the entities on the vendors Llstserve were located on the East Coast and most likely did not open the email SAR stated about 99 of the emails were probably recalled but the _ hospital was not able to locate the actual nliAber~ which were recalled
A review of a copy of a lettiir which the CPO stated was sent on 4113 from the hospital to Patient 1s family member Indicated on 32713 the middothospitals privacy office was made aware on 32513 a claim form with Patient 1s name address and telephone number insurance name and ldentitrcation number diagnosis code date of birth and provider disclosed was Inadvertently emailed to a group distribution list
middotmiddot
vendor under confidentiality
agreement with the hospital for
troubleshooting support when the
email was inadvertently
misdirected to the vendors
listserve According to the
hospitals vendor there were not
1026 health care facilities actively
participating in the listserve during l the period when this occurred
1
twenty months ago Rather the i vendor stated that it had 600
active members generally but did
not have a record that any
accessed the attachment to the
email at issue
Several requests to review a copy of the hospitals policy regarding electronic malling of Patient Health Information was submitted
Licensing and Certification Division STATE FORM QDKM11 CALl~ORNf~~~~Ffl~aet 4ors
OF PUSuc HEAL TH ENT
FEB Jl 2015 Lamp C DIVISION
SANJOSE
PRINTED 11182014 FORM APPROVED
California Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
CA070001349
(X2 MULTIPLE CONSTRUCTION A BUILDING _________
B WING _________
X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSG IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
(XS) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic mallng of Patient Health Information
A017 The CPO does not recall being
asked for the claim form The
hospital has the claim form and can
provide upon request Regarding I
the question as to how many I emails were recalled the employee
immediately contacted hospitals IT
Security and received instruction to
recall the email and accomplished
this within 45 minutes which gave
rise to a good faith belief by the
hospital that all or nearly all emails
were recalled
The hospital CPO verbally provided
relevant policy references The
hospital has had longstanding
policy on electronic mailing of PHI
and offers to provide the policy as
support for the previously provided
references
I
I i I
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB i 22015 Lamp C DIVISION
SAN JOSE
Licensing and Certlffcatlon DMslon STATgFORM 88119 QDKM11 If continuation sheet 5 of 5
II
California Deoartment of Public Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILPING ____~-~
(X3 DATE SURVEY COMPLETED
CA070001349 BWING _________
c 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATOIW OR LSC IDENTIFYING INFORMATION)
ID PREFIX
TAG
A 017 Continued From page 4 A017
However the hospital did not provide a copy of the polcy regarding electronic malllng of Patient Health Information
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENOY
Plan of Correction
For the patient affected by the
incident
The provider notified the patient
who was affected by this incident
The patient was provided with a
contact name and number to call
the provider with any questions i The patient has not contacted the I
hospital or otherwise expressed
any concerns
For other patients having the
potential to be affected by a similar
incident
This was an isolated incident and 1
limited to the one employee who ~ failed to follow policy and double- I check that the appropriate e-mail
address was selected to prevent I the email from going to
unintended recipients The l employee was sanctioned and was ~ re-trained to prevent recurrence of
a similar incident
(X5) COMPlETE
DATE
April 1
2013
Licensing and Certification DMslon STATE FORM QDKMH CAilF~fltAabeP~T~~
O~ PUBLIC HEAt TH middot T
FEB 1l 2015 L amp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californla Deoartment of Publo Heath STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPUERCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING _________
B WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
(X5) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the polcy regarding eleotronlc maflfng of Patient Health Information
A017
Immediate measures and enhancements to prevent
recurrence
The hospital continually seeks
opportunities to strengthen its
privacy and information security
programs for the protection of the
medical information of the patients
it serves Immediate measures
were taken as follows
a Within twenty minutes of March 25
sending the original email
attachment the employee sent a
second email to all recipients
directing them to immediately
delete the email and attachment
2013
1 b Within thirty minutes of March 25
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB r1 2015 L amp C DIVISION
SAN JOSE
sending the original email the
employee worked with IT security
to recall the original email
Recalling the message removes the
message from anyones inbox who
has not already opened the
message The SAR confirmed the
effectiveness of the recall because
2013
Licensing and Certlfcatlon D1vlslori STATE FORM QDKM11 If con11nuatfon sheet 5 of 5
California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
CA070001349
PRINTED 11iB2014 FORM APPROVED
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---
cB WING ___ ___ ___
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID
(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
A 017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB 1middot22015 L amp C DIVISION
SAN JOSE
Licensfng and Certlffcatfon DMslon
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (XS) COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE
DATE DEFICIENCY)
she in fact received the email
indicating her middot original email had
been recalled The providers
vendor is located on the east coast
and the majority of the vendors I clients are also located on the east
coast The original email with I
attachment was sent well after
normal business hours The
hospital has a good faith belief that
I
all or nearly all of the unintended
recipients would not have had the 1
opportunity to open the email and
open the claim attachment prior to
its recall According to the
hospitals vendor although the
listserve was comprised of 1029
members only 600 of those
members were active listserve
members in general for purposes of reading software updates there
is no evidence that any listserve
member opened this attachment
or viewed limited medical
information
STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
California Deoartment of Publlc Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
()(2) MULTIPLE CONSTRUCTION A BUILDING _______ _
(X3 DATE SURVEY GOMPLETED
CA070001349 8WIN~ c
10202014
NAME OF PROVIDER OR SUPPLIER STREETADDRESS CITY STATE ZIP CODE
725 WELCH ROADLUCILE SALTER PACKARD CHILDRENS HSP
PAlOALTO CA 94304
()lt4) ID PREFIX
TAG
Aooo
A017
SUMMARY STATEMENT OF DEFICIEfJCIES EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSD IDENTIFYING INFORMATION
Continued From page 1
The hospital detected the Breach of Patients Health Information (PHI) on 32513 The hospital reported the Breach of PHI to the Department on 4113 The hospital notified Patient 1 of the Breach of PHI on 4113
1280middot15(a) Health ampSafetyCode 1280
(a) A clfnlcmiddothealth facility homemiddothealth agency or hospice licensed pursuant to Section 1204 1250 1725 or 1745 shall prevent unlaWful or unauthorized access to and use or disclosure of patients medical Information as defined in subdivision (g) of Section 5605 of the Civil Coda and consistent With Section 130203 The department after investigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($26000) per patient whose medical Information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars ($17500) per subsequent occurrence of unlawful or unauthorized access use or disclosure of that patients medical Information For purposes of the Investigation the department shall consider the clinics health facilitys agencys or hospices history of compliance with this section and other related state and federal statutes and regulations the extentto which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurrfng and factors outside Its control that restricted the facilitys ability to comply with this section The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section
ID PREFIX
TAG
AOOO
A017
PROVIDERS PLAN OF CORRECTION (EACH COtlAEOTIVEACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
There remains no evidence of
actual inappropriate access to use
or disclosure of the patients health I
information to date The hospitals ~ thorough investigation revealed
that a single email which was
inadvertently misdirected was
recalled expeditiously and then
promptly deleted from the server
at the hospitals direction The
email was sent after normal
business hours for t~ose on the
recipient list significantly
decreasing the likelihood of accessmiddot
The limited claim information middotmostly demographic was
contained in an attachment (not
the email itself) which also
significantly reduced the likelihood
of access especially for a recalled
email The possible recipients
were other health care providers
and vendors who are legally
obligated to protect the
confidentiality of patient
information
(X6 COMPLETE
DATE
Ucenslng and Certification Division STATE FORM QDlltM11 If continuation sheet 2 of 5
PRINTED 11182014 FORM APPROVED
California Deoartment of Publlc Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIEAJCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING ________
8WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDijENS HSP bull
STREET ADDRESS CITY STATE ZlP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE
TAG REGULATORY OR LSO IDENTIFYING INFORMATION) TAG CROSS-REFERENCED TD THE APPROPRIATE DEFICIENCY)
DATE
A017 Continued From page 2
This Statute is not met as evidenced by Based on interview and record review the hospital failed to prevent the unauthorized disclosure of patient health Information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was Inadvertently emailed to a group distribution list The failure resulted in the disclosure of Patient 1 s PHI to unauthorized entitles Findings
The California Department of Public Health received a faxed report on 4113 which Indicated on 32713 a single claim form which contained Patient 1s name address telephone number insurance name and identification number diagnosis code date of birth and provider was inadvertently emailed to a group distribution list
During an Interview on 81814 at 245 pm the compllance and privacy officer CPO) stated a pharmacy senior account representative (SAR) Inadvertently emailed Patient 1s claim form on 32513 to a Llstserve The CPO stated the SAR was having problems filling out the claim form so
A017 The hospital has numerous
safeguards ii place to protect the
confidenti~lity and privacy of all
patient records and
communications Workforce
members are required to adhere to
privacy and security policies
pertaining to the protection of
patient information including
information in electronic form
The hospita ls policies and training
specifically state that Workforce
members sending email
information containing PHI should
take special precautions Policy
and training further states that
Workforce members shall provide
security for information that is
commensurate with its data
i classification level The data
classification level of PHI is
I
i
i
I
I I
I I
I I I
I
I
I
I
II
I I
I I
she had telephoned the vendor of the software program which filfs out claim forms The vendor had asked the SAR to email him the clalm form The SAR Inadvertently emailed the claim form to the vendors Listserve of about 1026 health care facilities The CPO stated the hospitals IT security staff recalled the emailed message right away but the CPO was not sure how many were actually recalled The CPO stated the hospital middotdid not have a copy of the claim form The CPO stated the claim form disclosed Patient 1s name address telephone number insurance name and
Category Confidential Highest
Sensitivity (Confidential Sensitive
Data) Policy and training also
require workforce members to
apply the minimum necessary
standard when using or disclosing
patient information
I
I I I
I
Licensing and Certification Division STATE FORM 6999 QDKM11 If contlnuatton sheet 3 of 5
California Deoartment of Publlc Health STATEMENT OF DEFICIENCIES ANO PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFIOATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILDING _______
PRINTED 11182014 FORM APPROVED
(X3) DATE SURVEY COMPLETED
CA070001349 BWrNG _________ c
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAO LUCILE SALTER PACKARD CHILDijENS HSP 1
PALO ALTO CA 94304
X4)1D PREFIX
TAG
A017
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGUIJTORY OR LSC IPENTIFYlNG INFORMATION)
Continued From page 2
This Statute Is not met as evidenced by Based on interview and record review the hospltal failed to prevent the unauthorized disclosure of patient health Information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was inadvertently emailed to a grcupdistribution list The failure resulted in the disclosure of Patient 1 s PHI to unauthorized entitles Findings
The California Department of Publio Health received a faxed report on 4113 which indicated on 32713 a slngle claim form which contained Patient 1s name address telephone number insurance name and Identification number diagnosis code date of birth and provider was inadvertently emalled to a group distribution llst
During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a pharmacy senior account representative (SAR) inadvertently emailed Patient 1s claim form on 32513 to a Ustserve The CPO stated the SAR was having problems fllllng out the claim form so she had telephoned the vendor of the software program which filrs out claim forms The vendor had asked the SAR to email him the claim form The SAR Inadvertently emailed the claim form to the vendors Listserve of about 1026 health care facilities The CPO stated the hospitals IT security staff recalled the emailed message right away but the CPO was not sure how many were actually recalled The CPO stated the hospital middotdid not have a copy of the claim form The CPO stated the claim form disclosed Patient 1s name address telephone number insurance name and
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (X5 COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTIVE ACTION SHOULD BE
DATE DElJCJENOY)
Contrary to policies procedures
and training the SAR failed to
protect patient Information in her
possession The SAR did not
adhere to policy and training that I 1require special precautions be
taken when sending email I information containing PHI nor did J
I
SAR adhere to policies and training
that require application of the
minimum necessary standard
While this was an isolated incident the hospital applied its corrective
action policy to prevent
recurrence
Policies
HIPAA Security Electronic Mail
Policy
Ill It is the policy of Lucille
Packard Childrens Hospital at
Stanford to provide electronic mail
to its workforce members to
facilitate communications within
and outside SHC with reasonable
security controls to ensure
confidentiality of ePHI and other
sensitive SHC data
Licensing and Certification Dlvlsfon STATE FORM 6899 If continuation sheet 3-of 5QDKM11
PRINTED 11182014 FORM APPROVED
California Denartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEAJCLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
X2) MULTIPLE CONSTRUCTION A BUILDING ________
X3) DATE SURVEY COMPLETED
CA070001349 B WING G
10202014
NAME OF PROVIDER OR SUPPLIER STREETADDRESS CITY STATE ZIP OODE
725 WELCH ROADLUCILE SALTER PACKARD CHILDijENS HSP 1
PALO ALTO CA 94304
X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BJ COMPLETE
TAG REGULATORY OR LSC IDENTIFYING tNFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)
A017 Continued From page 2 A017 HIPAA Use and Disclosure of
Protected Health Information
This Statute Is not met as evidenced by F When using or disclosing l
Based on interview and record review the PHI or requesting PHI from 1 hospitaIfalled to prevent the unauthorized another covered entity SHCLPCH disclosure of patient health information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was Inadvertently emailed to a group distribution llst The failure resulted In the disclosure of Patient is PHI to
will make reasonable efforts to
limit PHI to the minimum
necessary to accomplish the
middotI I
unauthorized entrtles Findings intended purpose of the use
The California Department of Publlo Health disclosure or request The
received a faxed report on 4113 which minimum necessary requirement Indicated on 32713 a single claim form which contained Patient 1s name address telephone
does not apply to certain uses or
number insurance name and ldentlficatlon disclosures including those number diagnosis code data of birth and authorized by the individual and provider was inadvertently emalled to a group distribution list those needed by a healthcare
provider for treatment purposes During an interview on 81814 at 245 pm the compliance and privacy officer (GPO) stated a pharmacy senior account representative (SAR)
HIPAA Internal Access to
Inadvertently emaired Patient 1s claim form on Protected Health Information 32513 to a Ustserve The CPO stated the SAR was having problems fllllng out the clalm form so VE1 When a user printsshe had telephoned the vendor of the software program which fills out claim forms The vendor information from a hospital
had asked the SAR to email him the clalm form information system the user Js The SAR Inadvertently emailed the clam form to the vendors Ustserve of about 1026 health care
responsible for handling patient
facilities The CPO stated the hospitals IT information confidentially security staff recalled the emailed message right protecting it from unauthorized awaybull but the CPO was not sure how many were actually recalled The CPO stated the hospital secondary disclosure middotdid not have a copy of the claim form The CPO stated the claim form dlsclosed Patient 1s name address telephone number Insurance name and
Licensing and Certification Division STATE FORM 6B9ll QDKM11 If continuation sheet tJ of5
~tgt
California Deoartment of Publlc Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1 PROVIDERSUPPLIEAJCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILDING ________
(X3) DATE SURVEY COMPLETED
CA070001349 B WING c
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDijlNS HSP 725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST Br PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD Br COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)
A017 Continued From page 2 A017 Policy Confidentiality Statement
I Understand that I am
This Statute ls not met as evidenced by responsible for protecting PHI or
Based on interview and reicord review the medical information that is sent by hospital failed to prevent the unauthorized me via facsimile andor disclosure of patient health Information (PHI) for one of one sampled patient (1 ) when a pedlatrlo electronically such as e-mail and I
patienfs (Patient 1) claim form was inadvertently am responsible for following the emailed to a group distribution llst The failure resulted in the disclosure of Patient 1s PHI to
applicable policies with respect to
unauthorized entitles Findings the transmission of PHI or medical
information and that anyThe Californla Department of Publio Health received a faxed report on 4113 which inappropriate disclosure of Indicated on 32713 a single claim form which information may make me subject contained Patient 1s name address telephone number insurance name and Identification to legal andor disciplinary action
number diagnosis code data of birth and Since the patient information was provider was Inadvertently emailed to a group distribution list contained in an attachment to the
email and the email was recalled During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a
quickly on an evening after
pharmacy senior account representative SAR) recipients normal work hours we inadvertently emalled Patient 1 s claim form on are not aware that any of the 32513 to a Ustserve The CPO stated the SAR was having problems filling out the claim form so unintended recipients actually
she had telephoned the vendor of the software program which filfs out claim forms The vendor
accessed the information
had asked the SAR to email him the claim form The SAR Inadvertently emaifed the claim form to
A single patient claim information
the vendors Ustserve of about 1026 health care was inadvertently emailed as an facilities The CPO stated the hospitals IT attachment to the email There security staff recalled the emailed message right awaybull but the CPO was not sure how many were was no patient information in the
actually recalled The CPO stated the hospital body of the email The employee middotdid not have a copy of the claim form The CPO immediately contacted hospitals ITstated the claim form disclosed Patient 1s name address telephone number insurance name and
Licensing and Certification Dfvlslon 88119STATE FORM QDKM11 CALIFORNIA DEPARTMENJt cont1nua11on sheet t of s
OF PUBLIC HEAltH ~c
FEB l 2 2015 Lamp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1) Pi=OVIDERJSUPPLIERCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ _ _ _____
CA070001349 BWING c
10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PlAN OF CORRECTION X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CJ30SS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
DATE
A 017 Continued From page 3
Identification number diagnosis code date of birth and provider
During an Interview on 102014 at 9 am SAR stated at about 430 pm she was helping a coworker with a claim form SAR stated she was on the telephone with the vendor of the software program which produces the clafm forms and the vendor had remote access to her computer SAR stated the claim form was not printing correctly so the vendor asked SAR to email the printed claim form to him SAR stated the vendor did not
A 017 Security and followed instructions
to recall the email and in the
interim sent an email instructing
recipients to delete the email The I
latter was sent within 21 minutes and the recall occurred within
approximately 45 minutes
I
I I
The hospital was in the process of I permissibly responding to a I
receive the claim form after she emailed it and they realized the form was inadvertently emailed to the vendors Listserve SAR stated she recalled the email within 30 minutes ofsending the small SAR stated the vendor company was located on the East Coast and was on Eastern Standard Time (EST) which would have been 730 pm end of business day) SAR stated most of the entities on the vendors Llstserve were located on the East Coast and most likely did not open the email SAR stated about 99 of the emails were probably recalled but the _ hospital was not able to locate the actual nliAber~ which were recalled
A review of a copy of a lettiir which the CPO stated was sent on 4113 from the hospital to Patient 1s family member Indicated on 32713 the middothospitals privacy office was made aware on 32513 a claim form with Patient 1s name address and telephone number insurance name and ldentitrcation number diagnosis code date of birth and provider disclosed was Inadvertently emailed to a group distribution list
middotmiddot
vendor under confidentiality
agreement with the hospital for
troubleshooting support when the
email was inadvertently
misdirected to the vendors
listserve According to the
hospitals vendor there were not
1026 health care facilities actively
participating in the listserve during l the period when this occurred
1
twenty months ago Rather the i vendor stated that it had 600
active members generally but did
not have a record that any
accessed the attachment to the
email at issue
Several requests to review a copy of the hospitals policy regarding electronic malling of Patient Health Information was submitted
Licensing and Certification Division STATE FORM QDKM11 CALl~ORNf~~~~Ffl~aet 4ors
OF PUSuc HEAL TH ENT
FEB Jl 2015 Lamp C DIVISION
SANJOSE
PRINTED 11182014 FORM APPROVED
California Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
CA070001349
(X2 MULTIPLE CONSTRUCTION A BUILDING _________
B WING _________
X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSG IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
(XS) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic mallng of Patient Health Information
A017 The CPO does not recall being
asked for the claim form The
hospital has the claim form and can
provide upon request Regarding I
the question as to how many I emails were recalled the employee
immediately contacted hospitals IT
Security and received instruction to
recall the email and accomplished
this within 45 minutes which gave
rise to a good faith belief by the
hospital that all or nearly all emails
were recalled
The hospital CPO verbally provided
relevant policy references The
hospital has had longstanding
policy on electronic mailing of PHI
and offers to provide the policy as
support for the previously provided
references
I
I i I
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB i 22015 Lamp C DIVISION
SAN JOSE
Licensing and Certlffcatlon DMslon STATgFORM 88119 QDKM11 If continuation sheet 5 of 5
II
California Deoartment of Public Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILPING ____~-~
(X3 DATE SURVEY COMPLETED
CA070001349 BWING _________
c 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATOIW OR LSC IDENTIFYING INFORMATION)
ID PREFIX
TAG
A 017 Continued From page 4 A017
However the hospital did not provide a copy of the polcy regarding electronic malllng of Patient Health Information
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENOY
Plan of Correction
For the patient affected by the
incident
The provider notified the patient
who was affected by this incident
The patient was provided with a
contact name and number to call
the provider with any questions i The patient has not contacted the I
hospital or otherwise expressed
any concerns
For other patients having the
potential to be affected by a similar
incident
This was an isolated incident and 1
limited to the one employee who ~ failed to follow policy and double- I check that the appropriate e-mail
address was selected to prevent I the email from going to
unintended recipients The l employee was sanctioned and was ~ re-trained to prevent recurrence of
a similar incident
(X5) COMPlETE
DATE
April 1
2013
Licensing and Certification DMslon STATE FORM QDKMH CAilF~fltAabeP~T~~
O~ PUBLIC HEAt TH middot T
FEB 1l 2015 L amp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californla Deoartment of Publo Heath STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPUERCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING _________
B WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
(X5) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the polcy regarding eleotronlc maflfng of Patient Health Information
A017
Immediate measures and enhancements to prevent
recurrence
The hospital continually seeks
opportunities to strengthen its
privacy and information security
programs for the protection of the
medical information of the patients
it serves Immediate measures
were taken as follows
a Within twenty minutes of March 25
sending the original email
attachment the employee sent a
second email to all recipients
directing them to immediately
delete the email and attachment
2013
1 b Within thirty minutes of March 25
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB r1 2015 L amp C DIVISION
SAN JOSE
sending the original email the
employee worked with IT security
to recall the original email
Recalling the message removes the
message from anyones inbox who
has not already opened the
message The SAR confirmed the
effectiveness of the recall because
2013
Licensing and Certlfcatlon D1vlslori STATE FORM QDKM11 If con11nuatfon sheet 5 of 5
California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
CA070001349
PRINTED 11iB2014 FORM APPROVED
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---
cB WING ___ ___ ___
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID
(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
A 017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB 1middot22015 L amp C DIVISION
SAN JOSE
Licensfng and Certlffcatfon DMslon
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (XS) COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE
DATE DEFICIENCY)
she in fact received the email
indicating her middot original email had
been recalled The providers
vendor is located on the east coast
and the majority of the vendors I clients are also located on the east
coast The original email with I
attachment was sent well after
normal business hours The
hospital has a good faith belief that
I
all or nearly all of the unintended
recipients would not have had the 1
opportunity to open the email and
open the claim attachment prior to
its recall According to the
hospitals vendor although the
listserve was comprised of 1029
members only 600 of those
members were active listserve
members in general for purposes of reading software updates there
is no evidence that any listserve
member opened this attachment
or viewed limited medical
information
STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
PRINTED 11182014 FORM APPROVED
California Deoartment of Publlc Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIEAJCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING ________
8WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDijENS HSP bull
STREET ADDRESS CITY STATE ZlP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE
TAG REGULATORY OR LSO IDENTIFYING INFORMATION) TAG CROSS-REFERENCED TD THE APPROPRIATE DEFICIENCY)
DATE
A017 Continued From page 2
This Statute is not met as evidenced by Based on interview and record review the hospital failed to prevent the unauthorized disclosure of patient health Information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was Inadvertently emailed to a group distribution list The failure resulted in the disclosure of Patient 1 s PHI to unauthorized entitles Findings
The California Department of Public Health received a faxed report on 4113 which Indicated on 32713 a single claim form which contained Patient 1s name address telephone number insurance name and identification number diagnosis code date of birth and provider was inadvertently emailed to a group distribution list
During an Interview on 81814 at 245 pm the compllance and privacy officer CPO) stated a pharmacy senior account representative (SAR) Inadvertently emailed Patient 1s claim form on 32513 to a Llstserve The CPO stated the SAR was having problems filling out the claim form so
A017 The hospital has numerous
safeguards ii place to protect the
confidenti~lity and privacy of all
patient records and
communications Workforce
members are required to adhere to
privacy and security policies
pertaining to the protection of
patient information including
information in electronic form
The hospita ls policies and training
specifically state that Workforce
members sending email
information containing PHI should
take special precautions Policy
and training further states that
Workforce members shall provide
security for information that is
commensurate with its data
i classification level The data
classification level of PHI is
I
i
i
I
I I
I I
I I I
I
I
I
I
II
I I
I I
she had telephoned the vendor of the software program which filfs out claim forms The vendor had asked the SAR to email him the clalm form The SAR Inadvertently emailed the claim form to the vendors Listserve of about 1026 health care facilities The CPO stated the hospitals IT security staff recalled the emailed message right away but the CPO was not sure how many were actually recalled The CPO stated the hospital middotdid not have a copy of the claim form The CPO stated the claim form disclosed Patient 1s name address telephone number insurance name and
Category Confidential Highest
Sensitivity (Confidential Sensitive
Data) Policy and training also
require workforce members to
apply the minimum necessary
standard when using or disclosing
patient information
I
I I I
I
Licensing and Certification Division STATE FORM 6999 QDKM11 If contlnuatton sheet 3 of 5
California Deoartment of Publlc Health STATEMENT OF DEFICIENCIES ANO PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFIOATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILDING _______
PRINTED 11182014 FORM APPROVED
(X3) DATE SURVEY COMPLETED
CA070001349 BWrNG _________ c
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAO LUCILE SALTER PACKARD CHILDijENS HSP 1
PALO ALTO CA 94304
X4)1D PREFIX
TAG
A017
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGUIJTORY OR LSC IPENTIFYlNG INFORMATION)
Continued From page 2
This Statute Is not met as evidenced by Based on interview and record review the hospltal failed to prevent the unauthorized disclosure of patient health Information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was inadvertently emailed to a grcupdistribution list The failure resulted in the disclosure of Patient 1 s PHI to unauthorized entitles Findings
The California Department of Publio Health received a faxed report on 4113 which indicated on 32713 a slngle claim form which contained Patient 1s name address telephone number insurance name and Identification number diagnosis code date of birth and provider was inadvertently emalled to a group distribution llst
During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a pharmacy senior account representative (SAR) inadvertently emailed Patient 1s claim form on 32513 to a Ustserve The CPO stated the SAR was having problems fllllng out the claim form so she had telephoned the vendor of the software program which filrs out claim forms The vendor had asked the SAR to email him the claim form The SAR Inadvertently emailed the claim form to the vendors Listserve of about 1026 health care facilities The CPO stated the hospitals IT security staff recalled the emailed message right away but the CPO was not sure how many were actually recalled The CPO stated the hospital middotdid not have a copy of the claim form The CPO stated the claim form disclosed Patient 1s name address telephone number insurance name and
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (X5 COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTIVE ACTION SHOULD BE
DATE DElJCJENOY)
Contrary to policies procedures
and training the SAR failed to
protect patient Information in her
possession The SAR did not
adhere to policy and training that I 1require special precautions be
taken when sending email I information containing PHI nor did J
I
SAR adhere to policies and training
that require application of the
minimum necessary standard
While this was an isolated incident the hospital applied its corrective
action policy to prevent
recurrence
Policies
HIPAA Security Electronic Mail
Policy
Ill It is the policy of Lucille
Packard Childrens Hospital at
Stanford to provide electronic mail
to its workforce members to
facilitate communications within
and outside SHC with reasonable
security controls to ensure
confidentiality of ePHI and other
sensitive SHC data
Licensing and Certification Dlvlsfon STATE FORM 6899 If continuation sheet 3-of 5QDKM11
PRINTED 11182014 FORM APPROVED
California Denartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEAJCLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
X2) MULTIPLE CONSTRUCTION A BUILDING ________
X3) DATE SURVEY COMPLETED
CA070001349 B WING G
10202014
NAME OF PROVIDER OR SUPPLIER STREETADDRESS CITY STATE ZIP OODE
725 WELCH ROADLUCILE SALTER PACKARD CHILDijENS HSP 1
PALO ALTO CA 94304
X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BJ COMPLETE
TAG REGULATORY OR LSC IDENTIFYING tNFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)
A017 Continued From page 2 A017 HIPAA Use and Disclosure of
Protected Health Information
This Statute Is not met as evidenced by F When using or disclosing l
Based on interview and record review the PHI or requesting PHI from 1 hospitaIfalled to prevent the unauthorized another covered entity SHCLPCH disclosure of patient health information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was Inadvertently emailed to a group distribution llst The failure resulted In the disclosure of Patient is PHI to
will make reasonable efforts to
limit PHI to the minimum
necessary to accomplish the
middotI I
unauthorized entrtles Findings intended purpose of the use
The California Department of Publlo Health disclosure or request The
received a faxed report on 4113 which minimum necessary requirement Indicated on 32713 a single claim form which contained Patient 1s name address telephone
does not apply to certain uses or
number insurance name and ldentlficatlon disclosures including those number diagnosis code data of birth and authorized by the individual and provider was inadvertently emalled to a group distribution list those needed by a healthcare
provider for treatment purposes During an interview on 81814 at 245 pm the compliance and privacy officer (GPO) stated a pharmacy senior account representative (SAR)
HIPAA Internal Access to
Inadvertently emaired Patient 1s claim form on Protected Health Information 32513 to a Ustserve The CPO stated the SAR was having problems fllllng out the clalm form so VE1 When a user printsshe had telephoned the vendor of the software program which fills out claim forms The vendor information from a hospital
had asked the SAR to email him the clalm form information system the user Js The SAR Inadvertently emailed the clam form to the vendors Ustserve of about 1026 health care
responsible for handling patient
facilities The CPO stated the hospitals IT information confidentially security staff recalled the emailed message right protecting it from unauthorized awaybull but the CPO was not sure how many were actually recalled The CPO stated the hospital secondary disclosure middotdid not have a copy of the claim form The CPO stated the claim form dlsclosed Patient 1s name address telephone number Insurance name and
Licensing and Certification Division STATE FORM 6B9ll QDKM11 If continuation sheet tJ of5
~tgt
California Deoartment of Publlc Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1 PROVIDERSUPPLIEAJCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILDING ________
(X3) DATE SURVEY COMPLETED
CA070001349 B WING c
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDijlNS HSP 725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST Br PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD Br COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)
A017 Continued From page 2 A017 Policy Confidentiality Statement
I Understand that I am
This Statute ls not met as evidenced by responsible for protecting PHI or
Based on interview and reicord review the medical information that is sent by hospital failed to prevent the unauthorized me via facsimile andor disclosure of patient health Information (PHI) for one of one sampled patient (1 ) when a pedlatrlo electronically such as e-mail and I
patienfs (Patient 1) claim form was inadvertently am responsible for following the emailed to a group distribution llst The failure resulted in the disclosure of Patient 1s PHI to
applicable policies with respect to
unauthorized entitles Findings the transmission of PHI or medical
information and that anyThe Californla Department of Publio Health received a faxed report on 4113 which inappropriate disclosure of Indicated on 32713 a single claim form which information may make me subject contained Patient 1s name address telephone number insurance name and Identification to legal andor disciplinary action
number diagnosis code data of birth and Since the patient information was provider was Inadvertently emailed to a group distribution list contained in an attachment to the
email and the email was recalled During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a
quickly on an evening after
pharmacy senior account representative SAR) recipients normal work hours we inadvertently emalled Patient 1 s claim form on are not aware that any of the 32513 to a Ustserve The CPO stated the SAR was having problems filling out the claim form so unintended recipients actually
she had telephoned the vendor of the software program which filfs out claim forms The vendor
accessed the information
had asked the SAR to email him the claim form The SAR Inadvertently emaifed the claim form to
A single patient claim information
the vendors Ustserve of about 1026 health care was inadvertently emailed as an facilities The CPO stated the hospitals IT attachment to the email There security staff recalled the emailed message right awaybull but the CPO was not sure how many were was no patient information in the
actually recalled The CPO stated the hospital body of the email The employee middotdid not have a copy of the claim form The CPO immediately contacted hospitals ITstated the claim form disclosed Patient 1s name address telephone number insurance name and
Licensing and Certification Dfvlslon 88119STATE FORM QDKM11 CALIFORNIA DEPARTMENJt cont1nua11on sheet t of s
OF PUBLIC HEAltH ~c
FEB l 2 2015 Lamp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1) Pi=OVIDERJSUPPLIERCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ _ _ _____
CA070001349 BWING c
10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PlAN OF CORRECTION X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CJ30SS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
DATE
A 017 Continued From page 3
Identification number diagnosis code date of birth and provider
During an Interview on 102014 at 9 am SAR stated at about 430 pm she was helping a coworker with a claim form SAR stated she was on the telephone with the vendor of the software program which produces the clafm forms and the vendor had remote access to her computer SAR stated the claim form was not printing correctly so the vendor asked SAR to email the printed claim form to him SAR stated the vendor did not
A 017 Security and followed instructions
to recall the email and in the
interim sent an email instructing
recipients to delete the email The I
latter was sent within 21 minutes and the recall occurred within
approximately 45 minutes
I
I I
The hospital was in the process of I permissibly responding to a I
receive the claim form after she emailed it and they realized the form was inadvertently emailed to the vendors Listserve SAR stated she recalled the email within 30 minutes ofsending the small SAR stated the vendor company was located on the East Coast and was on Eastern Standard Time (EST) which would have been 730 pm end of business day) SAR stated most of the entities on the vendors Llstserve were located on the East Coast and most likely did not open the email SAR stated about 99 of the emails were probably recalled but the _ hospital was not able to locate the actual nliAber~ which were recalled
A review of a copy of a lettiir which the CPO stated was sent on 4113 from the hospital to Patient 1s family member Indicated on 32713 the middothospitals privacy office was made aware on 32513 a claim form with Patient 1s name address and telephone number insurance name and ldentitrcation number diagnosis code date of birth and provider disclosed was Inadvertently emailed to a group distribution list
middotmiddot
vendor under confidentiality
agreement with the hospital for
troubleshooting support when the
email was inadvertently
misdirected to the vendors
listserve According to the
hospitals vendor there were not
1026 health care facilities actively
participating in the listserve during l the period when this occurred
1
twenty months ago Rather the i vendor stated that it had 600
active members generally but did
not have a record that any
accessed the attachment to the
email at issue
Several requests to review a copy of the hospitals policy regarding electronic malling of Patient Health Information was submitted
Licensing and Certification Division STATE FORM QDKM11 CALl~ORNf~~~~Ffl~aet 4ors
OF PUSuc HEAL TH ENT
FEB Jl 2015 Lamp C DIVISION
SANJOSE
PRINTED 11182014 FORM APPROVED
California Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
CA070001349
(X2 MULTIPLE CONSTRUCTION A BUILDING _________
B WING _________
X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSG IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
(XS) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic mallng of Patient Health Information
A017 The CPO does not recall being
asked for the claim form The
hospital has the claim form and can
provide upon request Regarding I
the question as to how many I emails were recalled the employee
immediately contacted hospitals IT
Security and received instruction to
recall the email and accomplished
this within 45 minutes which gave
rise to a good faith belief by the
hospital that all or nearly all emails
were recalled
The hospital CPO verbally provided
relevant policy references The
hospital has had longstanding
policy on electronic mailing of PHI
and offers to provide the policy as
support for the previously provided
references
I
I i I
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB i 22015 Lamp C DIVISION
SAN JOSE
Licensing and Certlffcatlon DMslon STATgFORM 88119 QDKM11 If continuation sheet 5 of 5
II
California Deoartment of Public Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILPING ____~-~
(X3 DATE SURVEY COMPLETED
CA070001349 BWING _________
c 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATOIW OR LSC IDENTIFYING INFORMATION)
ID PREFIX
TAG
A 017 Continued From page 4 A017
However the hospital did not provide a copy of the polcy regarding electronic malllng of Patient Health Information
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENOY
Plan of Correction
For the patient affected by the
incident
The provider notified the patient
who was affected by this incident
The patient was provided with a
contact name and number to call
the provider with any questions i The patient has not contacted the I
hospital or otherwise expressed
any concerns
For other patients having the
potential to be affected by a similar
incident
This was an isolated incident and 1
limited to the one employee who ~ failed to follow policy and double- I check that the appropriate e-mail
address was selected to prevent I the email from going to
unintended recipients The l employee was sanctioned and was ~ re-trained to prevent recurrence of
a similar incident
(X5) COMPlETE
DATE
April 1
2013
Licensing and Certification DMslon STATE FORM QDKMH CAilF~fltAabeP~T~~
O~ PUBLIC HEAt TH middot T
FEB 1l 2015 L amp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californla Deoartment of Publo Heath STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPUERCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING _________
B WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
(X5) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the polcy regarding eleotronlc maflfng of Patient Health Information
A017
Immediate measures and enhancements to prevent
recurrence
The hospital continually seeks
opportunities to strengthen its
privacy and information security
programs for the protection of the
medical information of the patients
it serves Immediate measures
were taken as follows
a Within twenty minutes of March 25
sending the original email
attachment the employee sent a
second email to all recipients
directing them to immediately
delete the email and attachment
2013
1 b Within thirty minutes of March 25
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB r1 2015 L amp C DIVISION
SAN JOSE
sending the original email the
employee worked with IT security
to recall the original email
Recalling the message removes the
message from anyones inbox who
has not already opened the
message The SAR confirmed the
effectiveness of the recall because
2013
Licensing and Certlfcatlon D1vlslori STATE FORM QDKM11 If con11nuatfon sheet 5 of 5
California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
CA070001349
PRINTED 11iB2014 FORM APPROVED
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---
cB WING ___ ___ ___
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID
(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
A 017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB 1middot22015 L amp C DIVISION
SAN JOSE
Licensfng and Certlffcatfon DMslon
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (XS) COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE
DATE DEFICIENCY)
she in fact received the email
indicating her middot original email had
been recalled The providers
vendor is located on the east coast
and the majority of the vendors I clients are also located on the east
coast The original email with I
attachment was sent well after
normal business hours The
hospital has a good faith belief that
I
all or nearly all of the unintended
recipients would not have had the 1
opportunity to open the email and
open the claim attachment prior to
its recall According to the
hospitals vendor although the
listserve was comprised of 1029
members only 600 of those
members were active listserve
members in general for purposes of reading software updates there
is no evidence that any listserve
member opened this attachment
or viewed limited medical
information
STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
California Deoartment of Publlc Health STATEMENT OF DEFICIENCIES ANO PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFIOATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILDING _______
PRINTED 11182014 FORM APPROVED
(X3) DATE SURVEY COMPLETED
CA070001349 BWrNG _________ c
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAO LUCILE SALTER PACKARD CHILDijENS HSP 1
PALO ALTO CA 94304
X4)1D PREFIX
TAG
A017
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGUIJTORY OR LSC IPENTIFYlNG INFORMATION)
Continued From page 2
This Statute Is not met as evidenced by Based on interview and record review the hospltal failed to prevent the unauthorized disclosure of patient health Information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was inadvertently emailed to a grcupdistribution list The failure resulted in the disclosure of Patient 1 s PHI to unauthorized entitles Findings
The California Department of Publio Health received a faxed report on 4113 which indicated on 32713 a slngle claim form which contained Patient 1s name address telephone number insurance name and Identification number diagnosis code date of birth and provider was inadvertently emalled to a group distribution llst
During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a pharmacy senior account representative (SAR) inadvertently emailed Patient 1s claim form on 32513 to a Ustserve The CPO stated the SAR was having problems fllllng out the claim form so she had telephoned the vendor of the software program which filrs out claim forms The vendor had asked the SAR to email him the claim form The SAR Inadvertently emailed the claim form to the vendors Listserve of about 1026 health care facilities The CPO stated the hospitals IT security staff recalled the emailed message right away but the CPO was not sure how many were actually recalled The CPO stated the hospital middotdid not have a copy of the claim form The CPO stated the claim form disclosed Patient 1s name address telephone number insurance name and
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (X5 COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTIVE ACTION SHOULD BE
DATE DElJCJENOY)
Contrary to policies procedures
and training the SAR failed to
protect patient Information in her
possession The SAR did not
adhere to policy and training that I 1require special precautions be
taken when sending email I information containing PHI nor did J
I
SAR adhere to policies and training
that require application of the
minimum necessary standard
While this was an isolated incident the hospital applied its corrective
action policy to prevent
recurrence
Policies
HIPAA Security Electronic Mail
Policy
Ill It is the policy of Lucille
Packard Childrens Hospital at
Stanford to provide electronic mail
to its workforce members to
facilitate communications within
and outside SHC with reasonable
security controls to ensure
confidentiality of ePHI and other
sensitive SHC data
Licensing and Certification Dlvlsfon STATE FORM 6899 If continuation sheet 3-of 5QDKM11
PRINTED 11182014 FORM APPROVED
California Denartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEAJCLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
X2) MULTIPLE CONSTRUCTION A BUILDING ________
X3) DATE SURVEY COMPLETED
CA070001349 B WING G
10202014
NAME OF PROVIDER OR SUPPLIER STREETADDRESS CITY STATE ZIP OODE
725 WELCH ROADLUCILE SALTER PACKARD CHILDijENS HSP 1
PALO ALTO CA 94304
X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BJ COMPLETE
TAG REGULATORY OR LSC IDENTIFYING tNFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)
A017 Continued From page 2 A017 HIPAA Use and Disclosure of
Protected Health Information
This Statute Is not met as evidenced by F When using or disclosing l
Based on interview and record review the PHI or requesting PHI from 1 hospitaIfalled to prevent the unauthorized another covered entity SHCLPCH disclosure of patient health information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was Inadvertently emailed to a group distribution llst The failure resulted In the disclosure of Patient is PHI to
will make reasonable efforts to
limit PHI to the minimum
necessary to accomplish the
middotI I
unauthorized entrtles Findings intended purpose of the use
The California Department of Publlo Health disclosure or request The
received a faxed report on 4113 which minimum necessary requirement Indicated on 32713 a single claim form which contained Patient 1s name address telephone
does not apply to certain uses or
number insurance name and ldentlficatlon disclosures including those number diagnosis code data of birth and authorized by the individual and provider was inadvertently emalled to a group distribution list those needed by a healthcare
provider for treatment purposes During an interview on 81814 at 245 pm the compliance and privacy officer (GPO) stated a pharmacy senior account representative (SAR)
HIPAA Internal Access to
Inadvertently emaired Patient 1s claim form on Protected Health Information 32513 to a Ustserve The CPO stated the SAR was having problems fllllng out the clalm form so VE1 When a user printsshe had telephoned the vendor of the software program which fills out claim forms The vendor information from a hospital
had asked the SAR to email him the clalm form information system the user Js The SAR Inadvertently emailed the clam form to the vendors Ustserve of about 1026 health care
responsible for handling patient
facilities The CPO stated the hospitals IT information confidentially security staff recalled the emailed message right protecting it from unauthorized awaybull but the CPO was not sure how many were actually recalled The CPO stated the hospital secondary disclosure middotdid not have a copy of the claim form The CPO stated the claim form dlsclosed Patient 1s name address telephone number Insurance name and
Licensing and Certification Division STATE FORM 6B9ll QDKM11 If continuation sheet tJ of5
~tgt
California Deoartment of Publlc Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1 PROVIDERSUPPLIEAJCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILDING ________
(X3) DATE SURVEY COMPLETED
CA070001349 B WING c
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDijlNS HSP 725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST Br PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD Br COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)
A017 Continued From page 2 A017 Policy Confidentiality Statement
I Understand that I am
This Statute ls not met as evidenced by responsible for protecting PHI or
Based on interview and reicord review the medical information that is sent by hospital failed to prevent the unauthorized me via facsimile andor disclosure of patient health Information (PHI) for one of one sampled patient (1 ) when a pedlatrlo electronically such as e-mail and I
patienfs (Patient 1) claim form was inadvertently am responsible for following the emailed to a group distribution llst The failure resulted in the disclosure of Patient 1s PHI to
applicable policies with respect to
unauthorized entitles Findings the transmission of PHI or medical
information and that anyThe Californla Department of Publio Health received a faxed report on 4113 which inappropriate disclosure of Indicated on 32713 a single claim form which information may make me subject contained Patient 1s name address telephone number insurance name and Identification to legal andor disciplinary action
number diagnosis code data of birth and Since the patient information was provider was Inadvertently emailed to a group distribution list contained in an attachment to the
email and the email was recalled During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a
quickly on an evening after
pharmacy senior account representative SAR) recipients normal work hours we inadvertently emalled Patient 1 s claim form on are not aware that any of the 32513 to a Ustserve The CPO stated the SAR was having problems filling out the claim form so unintended recipients actually
she had telephoned the vendor of the software program which filfs out claim forms The vendor
accessed the information
had asked the SAR to email him the claim form The SAR Inadvertently emaifed the claim form to
A single patient claim information
the vendors Ustserve of about 1026 health care was inadvertently emailed as an facilities The CPO stated the hospitals IT attachment to the email There security staff recalled the emailed message right awaybull but the CPO was not sure how many were was no patient information in the
actually recalled The CPO stated the hospital body of the email The employee middotdid not have a copy of the claim form The CPO immediately contacted hospitals ITstated the claim form disclosed Patient 1s name address telephone number insurance name and
Licensing and Certification Dfvlslon 88119STATE FORM QDKM11 CALIFORNIA DEPARTMENJt cont1nua11on sheet t of s
OF PUBLIC HEAltH ~c
FEB l 2 2015 Lamp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1) Pi=OVIDERJSUPPLIERCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ _ _ _____
CA070001349 BWING c
10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PlAN OF CORRECTION X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CJ30SS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
DATE
A 017 Continued From page 3
Identification number diagnosis code date of birth and provider
During an Interview on 102014 at 9 am SAR stated at about 430 pm she was helping a coworker with a claim form SAR stated she was on the telephone with the vendor of the software program which produces the clafm forms and the vendor had remote access to her computer SAR stated the claim form was not printing correctly so the vendor asked SAR to email the printed claim form to him SAR stated the vendor did not
A 017 Security and followed instructions
to recall the email and in the
interim sent an email instructing
recipients to delete the email The I
latter was sent within 21 minutes and the recall occurred within
approximately 45 minutes
I
I I
The hospital was in the process of I permissibly responding to a I
receive the claim form after she emailed it and they realized the form was inadvertently emailed to the vendors Listserve SAR stated she recalled the email within 30 minutes ofsending the small SAR stated the vendor company was located on the East Coast and was on Eastern Standard Time (EST) which would have been 730 pm end of business day) SAR stated most of the entities on the vendors Llstserve were located on the East Coast and most likely did not open the email SAR stated about 99 of the emails were probably recalled but the _ hospital was not able to locate the actual nliAber~ which were recalled
A review of a copy of a lettiir which the CPO stated was sent on 4113 from the hospital to Patient 1s family member Indicated on 32713 the middothospitals privacy office was made aware on 32513 a claim form with Patient 1s name address and telephone number insurance name and ldentitrcation number diagnosis code date of birth and provider disclosed was Inadvertently emailed to a group distribution list
middotmiddot
vendor under confidentiality
agreement with the hospital for
troubleshooting support when the
email was inadvertently
misdirected to the vendors
listserve According to the
hospitals vendor there were not
1026 health care facilities actively
participating in the listserve during l the period when this occurred
1
twenty months ago Rather the i vendor stated that it had 600
active members generally but did
not have a record that any
accessed the attachment to the
email at issue
Several requests to review a copy of the hospitals policy regarding electronic malling of Patient Health Information was submitted
Licensing and Certification Division STATE FORM QDKM11 CALl~ORNf~~~~Ffl~aet 4ors
OF PUSuc HEAL TH ENT
FEB Jl 2015 Lamp C DIVISION
SANJOSE
PRINTED 11182014 FORM APPROVED
California Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
CA070001349
(X2 MULTIPLE CONSTRUCTION A BUILDING _________
B WING _________
X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSG IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
(XS) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic mallng of Patient Health Information
A017 The CPO does not recall being
asked for the claim form The
hospital has the claim form and can
provide upon request Regarding I
the question as to how many I emails were recalled the employee
immediately contacted hospitals IT
Security and received instruction to
recall the email and accomplished
this within 45 minutes which gave
rise to a good faith belief by the
hospital that all or nearly all emails
were recalled
The hospital CPO verbally provided
relevant policy references The
hospital has had longstanding
policy on electronic mailing of PHI
and offers to provide the policy as
support for the previously provided
references
I
I i I
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB i 22015 Lamp C DIVISION
SAN JOSE
Licensing and Certlffcatlon DMslon STATgFORM 88119 QDKM11 If continuation sheet 5 of 5
II
California Deoartment of Public Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILPING ____~-~
(X3 DATE SURVEY COMPLETED
CA070001349 BWING _________
c 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATOIW OR LSC IDENTIFYING INFORMATION)
ID PREFIX
TAG
A 017 Continued From page 4 A017
However the hospital did not provide a copy of the polcy regarding electronic malllng of Patient Health Information
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENOY
Plan of Correction
For the patient affected by the
incident
The provider notified the patient
who was affected by this incident
The patient was provided with a
contact name and number to call
the provider with any questions i The patient has not contacted the I
hospital or otherwise expressed
any concerns
For other patients having the
potential to be affected by a similar
incident
This was an isolated incident and 1
limited to the one employee who ~ failed to follow policy and double- I check that the appropriate e-mail
address was selected to prevent I the email from going to
unintended recipients The l employee was sanctioned and was ~ re-trained to prevent recurrence of
a similar incident
(X5) COMPlETE
DATE
April 1
2013
Licensing and Certification DMslon STATE FORM QDKMH CAilF~fltAabeP~T~~
O~ PUBLIC HEAt TH middot T
FEB 1l 2015 L amp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californla Deoartment of Publo Heath STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPUERCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING _________
B WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
(X5) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the polcy regarding eleotronlc maflfng of Patient Health Information
A017
Immediate measures and enhancements to prevent
recurrence
The hospital continually seeks
opportunities to strengthen its
privacy and information security
programs for the protection of the
medical information of the patients
it serves Immediate measures
were taken as follows
a Within twenty minutes of March 25
sending the original email
attachment the employee sent a
second email to all recipients
directing them to immediately
delete the email and attachment
2013
1 b Within thirty minutes of March 25
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB r1 2015 L amp C DIVISION
SAN JOSE
sending the original email the
employee worked with IT security
to recall the original email
Recalling the message removes the
message from anyones inbox who
has not already opened the
message The SAR confirmed the
effectiveness of the recall because
2013
Licensing and Certlfcatlon D1vlslori STATE FORM QDKM11 If con11nuatfon sheet 5 of 5
California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
CA070001349
PRINTED 11iB2014 FORM APPROVED
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---
cB WING ___ ___ ___
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID
(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
A 017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB 1middot22015 L amp C DIVISION
SAN JOSE
Licensfng and Certlffcatfon DMslon
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (XS) COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE
DATE DEFICIENCY)
she in fact received the email
indicating her middot original email had
been recalled The providers
vendor is located on the east coast
and the majority of the vendors I clients are also located on the east
coast The original email with I
attachment was sent well after
normal business hours The
hospital has a good faith belief that
I
all or nearly all of the unintended
recipients would not have had the 1
opportunity to open the email and
open the claim attachment prior to
its recall According to the
hospitals vendor although the
listserve was comprised of 1029
members only 600 of those
members were active listserve
members in general for purposes of reading software updates there
is no evidence that any listserve
member opened this attachment
or viewed limited medical
information
STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
PRINTED 11182014 FORM APPROVED
California Denartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEAJCLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
X2) MULTIPLE CONSTRUCTION A BUILDING ________
X3) DATE SURVEY COMPLETED
CA070001349 B WING G
10202014
NAME OF PROVIDER OR SUPPLIER STREETADDRESS CITY STATE ZIP OODE
725 WELCH ROADLUCILE SALTER PACKARD CHILDijENS HSP 1
PALO ALTO CA 94304
X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BJ COMPLETE
TAG REGULATORY OR LSC IDENTIFYING tNFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)
A017 Continued From page 2 A017 HIPAA Use and Disclosure of
Protected Health Information
This Statute Is not met as evidenced by F When using or disclosing l
Based on interview and record review the PHI or requesting PHI from 1 hospitaIfalled to prevent the unauthorized another covered entity SHCLPCH disclosure of patient health information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was Inadvertently emailed to a group distribution llst The failure resulted In the disclosure of Patient is PHI to
will make reasonable efforts to
limit PHI to the minimum
necessary to accomplish the
middotI I
unauthorized entrtles Findings intended purpose of the use
The California Department of Publlo Health disclosure or request The
received a faxed report on 4113 which minimum necessary requirement Indicated on 32713 a single claim form which contained Patient 1s name address telephone
does not apply to certain uses or
number insurance name and ldentlficatlon disclosures including those number diagnosis code data of birth and authorized by the individual and provider was inadvertently emalled to a group distribution list those needed by a healthcare
provider for treatment purposes During an interview on 81814 at 245 pm the compliance and privacy officer (GPO) stated a pharmacy senior account representative (SAR)
HIPAA Internal Access to
Inadvertently emaired Patient 1s claim form on Protected Health Information 32513 to a Ustserve The CPO stated the SAR was having problems fllllng out the clalm form so VE1 When a user printsshe had telephoned the vendor of the software program which fills out claim forms The vendor information from a hospital
had asked the SAR to email him the clalm form information system the user Js The SAR Inadvertently emailed the clam form to the vendors Ustserve of about 1026 health care
responsible for handling patient
facilities The CPO stated the hospitals IT information confidentially security staff recalled the emailed message right protecting it from unauthorized awaybull but the CPO was not sure how many were actually recalled The CPO stated the hospital secondary disclosure middotdid not have a copy of the claim form The CPO stated the claim form dlsclosed Patient 1s name address telephone number Insurance name and
Licensing and Certification Division STATE FORM 6B9ll QDKM11 If continuation sheet tJ of5
~tgt
California Deoartment of Publlc Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1 PROVIDERSUPPLIEAJCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILDING ________
(X3) DATE SURVEY COMPLETED
CA070001349 B WING c
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDijlNS HSP 725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST Br PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD Br COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)
A017 Continued From page 2 A017 Policy Confidentiality Statement
I Understand that I am
This Statute ls not met as evidenced by responsible for protecting PHI or
Based on interview and reicord review the medical information that is sent by hospital failed to prevent the unauthorized me via facsimile andor disclosure of patient health Information (PHI) for one of one sampled patient (1 ) when a pedlatrlo electronically such as e-mail and I
patienfs (Patient 1) claim form was inadvertently am responsible for following the emailed to a group distribution llst The failure resulted in the disclosure of Patient 1s PHI to
applicable policies with respect to
unauthorized entitles Findings the transmission of PHI or medical
information and that anyThe Californla Department of Publio Health received a faxed report on 4113 which inappropriate disclosure of Indicated on 32713 a single claim form which information may make me subject contained Patient 1s name address telephone number insurance name and Identification to legal andor disciplinary action
number diagnosis code data of birth and Since the patient information was provider was Inadvertently emailed to a group distribution list contained in an attachment to the
email and the email was recalled During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a
quickly on an evening after
pharmacy senior account representative SAR) recipients normal work hours we inadvertently emalled Patient 1 s claim form on are not aware that any of the 32513 to a Ustserve The CPO stated the SAR was having problems filling out the claim form so unintended recipients actually
she had telephoned the vendor of the software program which filfs out claim forms The vendor
accessed the information
had asked the SAR to email him the claim form The SAR Inadvertently emaifed the claim form to
A single patient claim information
the vendors Ustserve of about 1026 health care was inadvertently emailed as an facilities The CPO stated the hospitals IT attachment to the email There security staff recalled the emailed message right awaybull but the CPO was not sure how many were was no patient information in the
actually recalled The CPO stated the hospital body of the email The employee middotdid not have a copy of the claim form The CPO immediately contacted hospitals ITstated the claim form disclosed Patient 1s name address telephone number insurance name and
Licensing and Certification Dfvlslon 88119STATE FORM QDKM11 CALIFORNIA DEPARTMENJt cont1nua11on sheet t of s
OF PUBLIC HEAltH ~c
FEB l 2 2015 Lamp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1) Pi=OVIDERJSUPPLIERCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ _ _ _____
CA070001349 BWING c
10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PlAN OF CORRECTION X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CJ30SS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
DATE
A 017 Continued From page 3
Identification number diagnosis code date of birth and provider
During an Interview on 102014 at 9 am SAR stated at about 430 pm she was helping a coworker with a claim form SAR stated she was on the telephone with the vendor of the software program which produces the clafm forms and the vendor had remote access to her computer SAR stated the claim form was not printing correctly so the vendor asked SAR to email the printed claim form to him SAR stated the vendor did not
A 017 Security and followed instructions
to recall the email and in the
interim sent an email instructing
recipients to delete the email The I
latter was sent within 21 minutes and the recall occurred within
approximately 45 minutes
I
I I
The hospital was in the process of I permissibly responding to a I
receive the claim form after she emailed it and they realized the form was inadvertently emailed to the vendors Listserve SAR stated she recalled the email within 30 minutes ofsending the small SAR stated the vendor company was located on the East Coast and was on Eastern Standard Time (EST) which would have been 730 pm end of business day) SAR stated most of the entities on the vendors Llstserve were located on the East Coast and most likely did not open the email SAR stated about 99 of the emails were probably recalled but the _ hospital was not able to locate the actual nliAber~ which were recalled
A review of a copy of a lettiir which the CPO stated was sent on 4113 from the hospital to Patient 1s family member Indicated on 32713 the middothospitals privacy office was made aware on 32513 a claim form with Patient 1s name address and telephone number insurance name and ldentitrcation number diagnosis code date of birth and provider disclosed was Inadvertently emailed to a group distribution list
middotmiddot
vendor under confidentiality
agreement with the hospital for
troubleshooting support when the
email was inadvertently
misdirected to the vendors
listserve According to the
hospitals vendor there were not
1026 health care facilities actively
participating in the listserve during l the period when this occurred
1
twenty months ago Rather the i vendor stated that it had 600
active members generally but did
not have a record that any
accessed the attachment to the
email at issue
Several requests to review a copy of the hospitals policy regarding electronic malling of Patient Health Information was submitted
Licensing and Certification Division STATE FORM QDKM11 CALl~ORNf~~~~Ffl~aet 4ors
OF PUSuc HEAL TH ENT
FEB Jl 2015 Lamp C DIVISION
SANJOSE
PRINTED 11182014 FORM APPROVED
California Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
CA070001349
(X2 MULTIPLE CONSTRUCTION A BUILDING _________
B WING _________
X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSG IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
(XS) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic mallng of Patient Health Information
A017 The CPO does not recall being
asked for the claim form The
hospital has the claim form and can
provide upon request Regarding I
the question as to how many I emails were recalled the employee
immediately contacted hospitals IT
Security and received instruction to
recall the email and accomplished
this within 45 minutes which gave
rise to a good faith belief by the
hospital that all or nearly all emails
were recalled
The hospital CPO verbally provided
relevant policy references The
hospital has had longstanding
policy on electronic mailing of PHI
and offers to provide the policy as
support for the previously provided
references
I
I i I
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB i 22015 Lamp C DIVISION
SAN JOSE
Licensing and Certlffcatlon DMslon STATgFORM 88119 QDKM11 If continuation sheet 5 of 5
II
California Deoartment of Public Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILPING ____~-~
(X3 DATE SURVEY COMPLETED
CA070001349 BWING _________
c 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATOIW OR LSC IDENTIFYING INFORMATION)
ID PREFIX
TAG
A 017 Continued From page 4 A017
However the hospital did not provide a copy of the polcy regarding electronic malllng of Patient Health Information
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENOY
Plan of Correction
For the patient affected by the
incident
The provider notified the patient
who was affected by this incident
The patient was provided with a
contact name and number to call
the provider with any questions i The patient has not contacted the I
hospital or otherwise expressed
any concerns
For other patients having the
potential to be affected by a similar
incident
This was an isolated incident and 1
limited to the one employee who ~ failed to follow policy and double- I check that the appropriate e-mail
address was selected to prevent I the email from going to
unintended recipients The l employee was sanctioned and was ~ re-trained to prevent recurrence of
a similar incident
(X5) COMPlETE
DATE
April 1
2013
Licensing and Certification DMslon STATE FORM QDKMH CAilF~fltAabeP~T~~
O~ PUBLIC HEAt TH middot T
FEB 1l 2015 L amp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californla Deoartment of Publo Heath STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPUERCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING _________
B WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
(X5) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the polcy regarding eleotronlc maflfng of Patient Health Information
A017
Immediate measures and enhancements to prevent
recurrence
The hospital continually seeks
opportunities to strengthen its
privacy and information security
programs for the protection of the
medical information of the patients
it serves Immediate measures
were taken as follows
a Within twenty minutes of March 25
sending the original email
attachment the employee sent a
second email to all recipients
directing them to immediately
delete the email and attachment
2013
1 b Within thirty minutes of March 25
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB r1 2015 L amp C DIVISION
SAN JOSE
sending the original email the
employee worked with IT security
to recall the original email
Recalling the message removes the
message from anyones inbox who
has not already opened the
message The SAR confirmed the
effectiveness of the recall because
2013
Licensing and Certlfcatlon D1vlslori STATE FORM QDKM11 If con11nuatfon sheet 5 of 5
California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
CA070001349
PRINTED 11iB2014 FORM APPROVED
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---
cB WING ___ ___ ___
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID
(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
A 017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB 1middot22015 L amp C DIVISION
SAN JOSE
Licensfng and Certlffcatfon DMslon
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (XS) COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE
DATE DEFICIENCY)
she in fact received the email
indicating her middot original email had
been recalled The providers
vendor is located on the east coast
and the majority of the vendors I clients are also located on the east
coast The original email with I
attachment was sent well after
normal business hours The
hospital has a good faith belief that
I
all or nearly all of the unintended
recipients would not have had the 1
opportunity to open the email and
open the claim attachment prior to
its recall According to the
hospitals vendor although the
listserve was comprised of 1029
members only 600 of those
members were active listserve
members in general for purposes of reading software updates there
is no evidence that any listserve
member opened this attachment
or viewed limited medical
information
STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
California Deoartment of Publlc Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1 PROVIDERSUPPLIEAJCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILDING ________
(X3) DATE SURVEY COMPLETED
CA070001349 B WING c
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDijlNS HSP 725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST Br PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD Br COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)
A017 Continued From page 2 A017 Policy Confidentiality Statement
I Understand that I am
This Statute ls not met as evidenced by responsible for protecting PHI or
Based on interview and reicord review the medical information that is sent by hospital failed to prevent the unauthorized me via facsimile andor disclosure of patient health Information (PHI) for one of one sampled patient (1 ) when a pedlatrlo electronically such as e-mail and I
patienfs (Patient 1) claim form was inadvertently am responsible for following the emailed to a group distribution llst The failure resulted in the disclosure of Patient 1s PHI to
applicable policies with respect to
unauthorized entitles Findings the transmission of PHI or medical
information and that anyThe Californla Department of Publio Health received a faxed report on 4113 which inappropriate disclosure of Indicated on 32713 a single claim form which information may make me subject contained Patient 1s name address telephone number insurance name and Identification to legal andor disciplinary action
number diagnosis code data of birth and Since the patient information was provider was Inadvertently emailed to a group distribution list contained in an attachment to the
email and the email was recalled During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a
quickly on an evening after
pharmacy senior account representative SAR) recipients normal work hours we inadvertently emalled Patient 1 s claim form on are not aware that any of the 32513 to a Ustserve The CPO stated the SAR was having problems filling out the claim form so unintended recipients actually
she had telephoned the vendor of the software program which filfs out claim forms The vendor
accessed the information
had asked the SAR to email him the claim form The SAR Inadvertently emaifed the claim form to
A single patient claim information
the vendors Ustserve of about 1026 health care was inadvertently emailed as an facilities The CPO stated the hospitals IT attachment to the email There security staff recalled the emailed message right awaybull but the CPO was not sure how many were was no patient information in the
actually recalled The CPO stated the hospital body of the email The employee middotdid not have a copy of the claim form The CPO immediately contacted hospitals ITstated the claim form disclosed Patient 1s name address telephone number insurance name and
Licensing and Certification Dfvlslon 88119STATE FORM QDKM11 CALIFORNIA DEPARTMENJt cont1nua11on sheet t of s
OF PUBLIC HEAltH ~c
FEB l 2 2015 Lamp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1) Pi=OVIDERJSUPPLIERCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ _ _ _____
CA070001349 BWING c
10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PlAN OF CORRECTION X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CJ30SS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
DATE
A 017 Continued From page 3
Identification number diagnosis code date of birth and provider
During an Interview on 102014 at 9 am SAR stated at about 430 pm she was helping a coworker with a claim form SAR stated she was on the telephone with the vendor of the software program which produces the clafm forms and the vendor had remote access to her computer SAR stated the claim form was not printing correctly so the vendor asked SAR to email the printed claim form to him SAR stated the vendor did not
A 017 Security and followed instructions
to recall the email and in the
interim sent an email instructing
recipients to delete the email The I
latter was sent within 21 minutes and the recall occurred within
approximately 45 minutes
I
I I
The hospital was in the process of I permissibly responding to a I
receive the claim form after she emailed it and they realized the form was inadvertently emailed to the vendors Listserve SAR stated she recalled the email within 30 minutes ofsending the small SAR stated the vendor company was located on the East Coast and was on Eastern Standard Time (EST) which would have been 730 pm end of business day) SAR stated most of the entities on the vendors Llstserve were located on the East Coast and most likely did not open the email SAR stated about 99 of the emails were probably recalled but the _ hospital was not able to locate the actual nliAber~ which were recalled
A review of a copy of a lettiir which the CPO stated was sent on 4113 from the hospital to Patient 1s family member Indicated on 32713 the middothospitals privacy office was made aware on 32513 a claim form with Patient 1s name address and telephone number insurance name and ldentitrcation number diagnosis code date of birth and provider disclosed was Inadvertently emailed to a group distribution list
middotmiddot
vendor under confidentiality
agreement with the hospital for
troubleshooting support when the
email was inadvertently
misdirected to the vendors
listserve According to the
hospitals vendor there were not
1026 health care facilities actively
participating in the listserve during l the period when this occurred
1
twenty months ago Rather the i vendor stated that it had 600
active members generally but did
not have a record that any
accessed the attachment to the
email at issue
Several requests to review a copy of the hospitals policy regarding electronic malling of Patient Health Information was submitted
Licensing and Certification Division STATE FORM QDKM11 CALl~ORNf~~~~Ffl~aet 4ors
OF PUSuc HEAL TH ENT
FEB Jl 2015 Lamp C DIVISION
SANJOSE
PRINTED 11182014 FORM APPROVED
California Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
CA070001349
(X2 MULTIPLE CONSTRUCTION A BUILDING _________
B WING _________
X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSG IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
(XS) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic mallng of Patient Health Information
A017 The CPO does not recall being
asked for the claim form The
hospital has the claim form and can
provide upon request Regarding I
the question as to how many I emails were recalled the employee
immediately contacted hospitals IT
Security and received instruction to
recall the email and accomplished
this within 45 minutes which gave
rise to a good faith belief by the
hospital that all or nearly all emails
were recalled
The hospital CPO verbally provided
relevant policy references The
hospital has had longstanding
policy on electronic mailing of PHI
and offers to provide the policy as
support for the previously provided
references
I
I i I
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB i 22015 Lamp C DIVISION
SAN JOSE
Licensing and Certlffcatlon DMslon STATgFORM 88119 QDKM11 If continuation sheet 5 of 5
II
California Deoartment of Public Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILPING ____~-~
(X3 DATE SURVEY COMPLETED
CA070001349 BWING _________
c 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATOIW OR LSC IDENTIFYING INFORMATION)
ID PREFIX
TAG
A 017 Continued From page 4 A017
However the hospital did not provide a copy of the polcy regarding electronic malllng of Patient Health Information
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENOY
Plan of Correction
For the patient affected by the
incident
The provider notified the patient
who was affected by this incident
The patient was provided with a
contact name and number to call
the provider with any questions i The patient has not contacted the I
hospital or otherwise expressed
any concerns
For other patients having the
potential to be affected by a similar
incident
This was an isolated incident and 1
limited to the one employee who ~ failed to follow policy and double- I check that the appropriate e-mail
address was selected to prevent I the email from going to
unintended recipients The l employee was sanctioned and was ~ re-trained to prevent recurrence of
a similar incident
(X5) COMPlETE
DATE
April 1
2013
Licensing and Certification DMslon STATE FORM QDKMH CAilF~fltAabeP~T~~
O~ PUBLIC HEAt TH middot T
FEB 1l 2015 L amp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californla Deoartment of Publo Heath STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPUERCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING _________
B WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
(X5) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the polcy regarding eleotronlc maflfng of Patient Health Information
A017
Immediate measures and enhancements to prevent
recurrence
The hospital continually seeks
opportunities to strengthen its
privacy and information security
programs for the protection of the
medical information of the patients
it serves Immediate measures
were taken as follows
a Within twenty minutes of March 25
sending the original email
attachment the employee sent a
second email to all recipients
directing them to immediately
delete the email and attachment
2013
1 b Within thirty minutes of March 25
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB r1 2015 L amp C DIVISION
SAN JOSE
sending the original email the
employee worked with IT security
to recall the original email
Recalling the message removes the
message from anyones inbox who
has not already opened the
message The SAR confirmed the
effectiveness of the recall because
2013
Licensing and Certlfcatlon D1vlslori STATE FORM QDKM11 If con11nuatfon sheet 5 of 5
California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
CA070001349
PRINTED 11iB2014 FORM APPROVED
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---
cB WING ___ ___ ___
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID
(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
A 017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB 1middot22015 L amp C DIVISION
SAN JOSE
Licensfng and Certlffcatfon DMslon
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (XS) COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE
DATE DEFICIENCY)
she in fact received the email
indicating her middot original email had
been recalled The providers
vendor is located on the east coast
and the majority of the vendors I clients are also located on the east
coast The original email with I
attachment was sent well after
normal business hours The
hospital has a good faith belief that
I
all or nearly all of the unintended
recipients would not have had the 1
opportunity to open the email and
open the claim attachment prior to
its recall According to the
hospitals vendor although the
listserve was comprised of 1029
members only 600 of those
members were active listserve
members in general for purposes of reading software updates there
is no evidence that any listserve
member opened this attachment
or viewed limited medical
information
STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
PRINTED 11182014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION
(X1) Pi=OVIDERJSUPPLIERCLIA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ _ _ _____
CA070001349 BWING c
10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PlAN OF CORRECTION X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CJ30SS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
DATE
A 017 Continued From page 3
Identification number diagnosis code date of birth and provider
During an Interview on 102014 at 9 am SAR stated at about 430 pm she was helping a coworker with a claim form SAR stated she was on the telephone with the vendor of the software program which produces the clafm forms and the vendor had remote access to her computer SAR stated the claim form was not printing correctly so the vendor asked SAR to email the printed claim form to him SAR stated the vendor did not
A 017 Security and followed instructions
to recall the email and in the
interim sent an email instructing
recipients to delete the email The I
latter was sent within 21 minutes and the recall occurred within
approximately 45 minutes
I
I I
The hospital was in the process of I permissibly responding to a I
receive the claim form after she emailed it and they realized the form was inadvertently emailed to the vendors Listserve SAR stated she recalled the email within 30 minutes ofsending the small SAR stated the vendor company was located on the East Coast and was on Eastern Standard Time (EST) which would have been 730 pm end of business day) SAR stated most of the entities on the vendors Llstserve were located on the East Coast and most likely did not open the email SAR stated about 99 of the emails were probably recalled but the _ hospital was not able to locate the actual nliAber~ which were recalled
A review of a copy of a lettiir which the CPO stated was sent on 4113 from the hospital to Patient 1s family member Indicated on 32713 the middothospitals privacy office was made aware on 32513 a claim form with Patient 1s name address and telephone number insurance name and ldentitrcation number diagnosis code date of birth and provider disclosed was Inadvertently emailed to a group distribution list
middotmiddot
vendor under confidentiality
agreement with the hospital for
troubleshooting support when the
email was inadvertently
misdirected to the vendors
listserve According to the
hospitals vendor there were not
1026 health care facilities actively
participating in the listserve during l the period when this occurred
1
twenty months ago Rather the i vendor stated that it had 600
active members generally but did
not have a record that any
accessed the attachment to the
email at issue
Several requests to review a copy of the hospitals policy regarding electronic malling of Patient Health Information was submitted
Licensing and Certification Division STATE FORM QDKM11 CALl~ORNf~~~~Ffl~aet 4ors
OF PUSuc HEAL TH ENT
FEB Jl 2015 Lamp C DIVISION
SANJOSE
PRINTED 11182014 FORM APPROVED
California Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
CA070001349
(X2 MULTIPLE CONSTRUCTION A BUILDING _________
B WING _________
X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSG IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
(XS) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic mallng of Patient Health Information
A017 The CPO does not recall being
asked for the claim form The
hospital has the claim form and can
provide upon request Regarding I
the question as to how many I emails were recalled the employee
immediately contacted hospitals IT
Security and received instruction to
recall the email and accomplished
this within 45 minutes which gave
rise to a good faith belief by the
hospital that all or nearly all emails
were recalled
The hospital CPO verbally provided
relevant policy references The
hospital has had longstanding
policy on electronic mailing of PHI
and offers to provide the policy as
support for the previously provided
references
I
I i I
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB i 22015 Lamp C DIVISION
SAN JOSE
Licensing and Certlffcatlon DMslon STATgFORM 88119 QDKM11 If continuation sheet 5 of 5
II
California Deoartment of Public Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILPING ____~-~
(X3 DATE SURVEY COMPLETED
CA070001349 BWING _________
c 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATOIW OR LSC IDENTIFYING INFORMATION)
ID PREFIX
TAG
A 017 Continued From page 4 A017
However the hospital did not provide a copy of the polcy regarding electronic malllng of Patient Health Information
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENOY
Plan of Correction
For the patient affected by the
incident
The provider notified the patient
who was affected by this incident
The patient was provided with a
contact name and number to call
the provider with any questions i The patient has not contacted the I
hospital or otherwise expressed
any concerns
For other patients having the
potential to be affected by a similar
incident
This was an isolated incident and 1
limited to the one employee who ~ failed to follow policy and double- I check that the appropriate e-mail
address was selected to prevent I the email from going to
unintended recipients The l employee was sanctioned and was ~ re-trained to prevent recurrence of
a similar incident
(X5) COMPlETE
DATE
April 1
2013
Licensing and Certification DMslon STATE FORM QDKMH CAilF~fltAabeP~T~~
O~ PUBLIC HEAt TH middot T
FEB 1l 2015 L amp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californla Deoartment of Publo Heath STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPUERCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING _________
B WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
(X5) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the polcy regarding eleotronlc maflfng of Patient Health Information
A017
Immediate measures and enhancements to prevent
recurrence
The hospital continually seeks
opportunities to strengthen its
privacy and information security
programs for the protection of the
medical information of the patients
it serves Immediate measures
were taken as follows
a Within twenty minutes of March 25
sending the original email
attachment the employee sent a
second email to all recipients
directing them to immediately
delete the email and attachment
2013
1 b Within thirty minutes of March 25
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB r1 2015 L amp C DIVISION
SAN JOSE
sending the original email the
employee worked with IT security
to recall the original email
Recalling the message removes the
message from anyones inbox who
has not already opened the
message The SAR confirmed the
effectiveness of the recall because
2013
Licensing and Certlfcatlon D1vlslori STATE FORM QDKM11 If con11nuatfon sheet 5 of 5
California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
CA070001349
PRINTED 11iB2014 FORM APPROVED
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---
cB WING ___ ___ ___
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID
(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
A 017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB 1middot22015 L amp C DIVISION
SAN JOSE
Licensfng and Certlffcatfon DMslon
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (XS) COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE
DATE DEFICIENCY)
she in fact received the email
indicating her middot original email had
been recalled The providers
vendor is located on the east coast
and the majority of the vendors I clients are also located on the east
coast The original email with I
attachment was sent well after
normal business hours The
hospital has a good faith belief that
I
all or nearly all of the unintended
recipients would not have had the 1
opportunity to open the email and
open the claim attachment prior to
its recall According to the
hospitals vendor although the
listserve was comprised of 1029
members only 600 of those
members were active listserve
members in general for purposes of reading software updates there
is no evidence that any listserve
member opened this attachment
or viewed limited medical
information
STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
PRINTED 11182014 FORM APPROVED
California Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
CA070001349
(X2 MULTIPLE CONSTRUCTION A BUILDING _________
B WING _________
X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSG IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY)
(XS) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic mallng of Patient Health Information
A017 The CPO does not recall being
asked for the claim form The
hospital has the claim form and can
provide upon request Regarding I
the question as to how many I emails were recalled the employee
immediately contacted hospitals IT
Security and received instruction to
recall the email and accomplished
this within 45 minutes which gave
rise to a good faith belief by the
hospital that all or nearly all emails
were recalled
The hospital CPO verbally provided
relevant policy references The
hospital has had longstanding
policy on electronic mailing of PHI
and offers to provide the policy as
support for the previously provided
references
I
I i I
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB i 22015 Lamp C DIVISION
SAN JOSE
Licensing and Certlffcatlon DMslon STATgFORM 88119 QDKM11 If continuation sheet 5 of 5
II
California Deoartment of Public Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILPING ____~-~
(X3 DATE SURVEY COMPLETED
CA070001349 BWING _________
c 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATOIW OR LSC IDENTIFYING INFORMATION)
ID PREFIX
TAG
A 017 Continued From page 4 A017
However the hospital did not provide a copy of the polcy regarding electronic malllng of Patient Health Information
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENOY
Plan of Correction
For the patient affected by the
incident
The provider notified the patient
who was affected by this incident
The patient was provided with a
contact name and number to call
the provider with any questions i The patient has not contacted the I
hospital or otherwise expressed
any concerns
For other patients having the
potential to be affected by a similar
incident
This was an isolated incident and 1
limited to the one employee who ~ failed to follow policy and double- I check that the appropriate e-mail
address was selected to prevent I the email from going to
unintended recipients The l employee was sanctioned and was ~ re-trained to prevent recurrence of
a similar incident
(X5) COMPlETE
DATE
April 1
2013
Licensing and Certification DMslon STATE FORM QDKMH CAilF~fltAabeP~T~~
O~ PUBLIC HEAt TH middot T
FEB 1l 2015 L amp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californla Deoartment of Publo Heath STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPUERCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING _________
B WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
(X5) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the polcy regarding eleotronlc maflfng of Patient Health Information
A017
Immediate measures and enhancements to prevent
recurrence
The hospital continually seeks
opportunities to strengthen its
privacy and information security
programs for the protection of the
medical information of the patients
it serves Immediate measures
were taken as follows
a Within twenty minutes of March 25
sending the original email
attachment the employee sent a
second email to all recipients
directing them to immediately
delete the email and attachment
2013
1 b Within thirty minutes of March 25
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB r1 2015 L amp C DIVISION
SAN JOSE
sending the original email the
employee worked with IT security
to recall the original email
Recalling the message removes the
message from anyones inbox who
has not already opened the
message The SAR confirmed the
effectiveness of the recall because
2013
Licensing and Certlfcatlon D1vlslori STATE FORM QDKM11 If con11nuatfon sheet 5 of 5
California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
CA070001349
PRINTED 11iB2014 FORM APPROVED
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---
cB WING ___ ___ ___
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID
(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
A 017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB 1middot22015 L amp C DIVISION
SAN JOSE
Licensfng and Certlffcatfon DMslon
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (XS) COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE
DATE DEFICIENCY)
she in fact received the email
indicating her middot original email had
been recalled The providers
vendor is located on the east coast
and the majority of the vendors I clients are also located on the east
coast The original email with I
attachment was sent well after
normal business hours The
hospital has a good faith belief that
I
all or nearly all of the unintended
recipients would not have had the 1
opportunity to open the email and
open the claim attachment prior to
its recall According to the
hospitals vendor although the
listserve was comprised of 1029
members only 600 of those
members were active listserve
members in general for purposes of reading software updates there
is no evidence that any listserve
member opened this attachment
or viewed limited medical
information
STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
California Deoartment of Public Health
PRINTED 11182014 FORM APPROVED
STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER
(X2) MULTIPLE CONSTRUCTION A BUILPING ____~-~
(X3 DATE SURVEY COMPLETED
CA070001349 BWING _________
c 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATOIW OR LSC IDENTIFYING INFORMATION)
ID PREFIX
TAG
A 017 Continued From page 4 A017
However the hospital did not provide a copy of the polcy regarding electronic malllng of Patient Health Information
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENOY
Plan of Correction
For the patient affected by the
incident
The provider notified the patient
who was affected by this incident
The patient was provided with a
contact name and number to call
the provider with any questions i The patient has not contacted the I
hospital or otherwise expressed
any concerns
For other patients having the
potential to be affected by a similar
incident
This was an isolated incident and 1
limited to the one employee who ~ failed to follow policy and double- I check that the appropriate e-mail
address was selected to prevent I the email from going to
unintended recipients The l employee was sanctioned and was ~ re-trained to prevent recurrence of
a similar incident
(X5) COMPlETE
DATE
April 1
2013
Licensing and Certification DMslon STATE FORM QDKMH CAilF~fltAabeP~T~~
O~ PUBLIC HEAt TH middot T
FEB 1l 2015 L amp C DIVISION
SAN JOSE
PRINTED 11182014 FORM APPROVED
Californla Deoartment of Publo Heath STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPUERCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING _________
B WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
(X5) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the polcy regarding eleotronlc maflfng of Patient Health Information
A017
Immediate measures and enhancements to prevent
recurrence
The hospital continually seeks
opportunities to strengthen its
privacy and information security
programs for the protection of the
medical information of the patients
it serves Immediate measures
were taken as follows
a Within twenty minutes of March 25
sending the original email
attachment the employee sent a
second email to all recipients
directing them to immediately
delete the email and attachment
2013
1 b Within thirty minutes of March 25
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB r1 2015 L amp C DIVISION
SAN JOSE
sending the original email the
employee worked with IT security
to recall the original email
Recalling the message removes the
message from anyones inbox who
has not already opened the
message The SAR confirmed the
effectiveness of the recall because
2013
Licensing and Certlfcatlon D1vlslori STATE FORM QDKM11 If con11nuatfon sheet 5 of 5
California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
CA070001349
PRINTED 11iB2014 FORM APPROVED
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---
cB WING ___ ___ ___
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID
(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
A 017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB 1middot22015 L amp C DIVISION
SAN JOSE
Licensfng and Certlffcatfon DMslon
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (XS) COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE
DATE DEFICIENCY)
she in fact received the email
indicating her middot original email had
been recalled The providers
vendor is located on the east coast
and the majority of the vendors I clients are also located on the east
coast The original email with I
attachment was sent well after
normal business hours The
hospital has a good faith belief that
I
all or nearly all of the unintended
recipients would not have had the 1
opportunity to open the email and
open the claim attachment prior to
its recall According to the
hospitals vendor although the
listserve was comprised of 1029
members only 600 of those
members were active listserve
members in general for purposes of reading software updates there
is no evidence that any listserve
member opened this attachment
or viewed limited medical
information
STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
PRINTED 11182014 FORM APPROVED
Californla Deoartment of Publo Heath STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION
(X1) PROVIDERSUPPUERCLIA IDENTIFICATION NUMBER
CA070001349
(X2) MULTIPLE CONSTRUCTION A BUILDING _________
B WING
(X3) DATE SURVEY COMPLETED
c 10202014
NAME OF PROVIDER OR SUPPLIER
LUCILE SALTER PACKARD CHILDRENS HSP
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
(X4) ID PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
ID PREFIX
TAG
PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE
CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
(X5) COMPLETE
DATE
A017 Continued From page 4
However the hospital did not provide a copy of the polcy regarding eleotronlc maflfng of Patient Health Information
A017
Immediate measures and enhancements to prevent
recurrence
The hospital continually seeks
opportunities to strengthen its
privacy and information security
programs for the protection of the
medical information of the patients
it serves Immediate measures
were taken as follows
a Within twenty minutes of March 25
sending the original email
attachment the employee sent a
second email to all recipients
directing them to immediately
delete the email and attachment
2013
1 b Within thirty minutes of March 25
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB r1 2015 L amp C DIVISION
SAN JOSE
sending the original email the
employee worked with IT security
to recall the original email
Recalling the message removes the
message from anyones inbox who
has not already opened the
message The SAR confirmed the
effectiveness of the recall because
2013
Licensing and Certlfcatlon D1vlslori STATE FORM QDKM11 If con11nuatfon sheet 5 of 5
California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
CA070001349
PRINTED 11iB2014 FORM APPROVED
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---
cB WING ___ ___ ___
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID
(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
A 017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB 1middot22015 L amp C DIVISION
SAN JOSE
Licensfng and Certlffcatfon DMslon
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (XS) COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE
DATE DEFICIENCY)
she in fact received the email
indicating her middot original email had
been recalled The providers
vendor is located on the east coast
and the majority of the vendors I clients are also located on the east
coast The original email with I
attachment was sent well after
normal business hours The
hospital has a good faith belief that
I
all or nearly all of the unintended
recipients would not have had the 1
opportunity to open the email and
open the claim attachment prior to
its recall According to the
hospitals vendor although the
listserve was comprised of 1029
members only 600 of those
members were active listserve
members in general for purposes of reading software updates there
is no evidence that any listserve
member opened this attachment
or viewed limited medical
information
STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER
CA070001349
PRINTED 11iB2014 FORM APPROVED
(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---
cB WING ___ ___ ___
10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP
PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID
(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
A 017 Continued From page 4
However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB 1middot22015 L amp C DIVISION
SAN JOSE
Licensfng and Certlffcatfon DMslon
ID PREFIX
TAG
A017
PROVIDERS PLAN OF CORRECTION (XS) COMPLETE
CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE
DATE DEFICIENCY)
she in fact received the email
indicating her middot original email had
been recalled The providers
vendor is located on the east coast
and the majority of the vendors I clients are also located on the east
coast The original email with I
attachment was sent well after
normal business hours The
hospital has a good faith belief that
I
all or nearly all of the unintended
recipients would not have had the 1
opportunity to open the email and
open the claim attachment prior to
its recall According to the
hospitals vendor although the
listserve was comprised of 1029
members only 600 of those
members were active listserve
members in general for purposes of reading software updates there
is no evidence that any listserve
member opened this attachment
or viewed limited medical
information
STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION
NAME OF PROVIDER OR SUPPLIER
IDENTIFICATION NUMBER
CA070001349
LUCILE SALTER PACKARD CHILDRENS HSP 1
X4) ID PREFIX
TAO
AD17
(X2 MULTIPLE CONSTRUCTION A BUILDING ________
BWING
STREET ADDRESS CITY STATE ZIP CODE
725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
REGULATORY OR LSO IDENTIFYING INFORMATION)
Continued From page 4
However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
FEB l 12015 L ampC DIVISION
SAN JOSE
ID PREFIX
TAG
A017
I
PRINTED 11182014 FORM APPROVED
X3 DATE SURVEY COMPLETED
c 10202014
PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE
CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)
c The hospitals vendor
confirmed that the original email
was removed from its server
d Hospital workforce
members are required to complete
mandatory Privacy training i annually pass a competency test
and complete an attestation
statement acknowledging their
responsibility to comply with
Privacy policies and procedures 1
Monitoring performance to ensure corrections are achieved and sustained
i The hospital will continue
evaluative and
preventative efforts on PHI
data transmissions which
will be reported to the
hospital Director of IT
Security for a period of one l
year from the date of
incident
(X5) COMPlETE
DATE
April 1
2013
Ongoing
Mar~h 27 20l4
Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
PRINTED 11iB2014 FORM APPROVED
Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--
cBWING _________CA070001349 10202014
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI
725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1
PALO ALTO CA 94304
X4) ID PREFIX
SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL
IP PREFIX
PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE
TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY
A 017 Continued From page 4
However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient
A017 ii Hospitals
manager over
function~
pharmacy Health Information claims processing functions
will monitor employee
actions related to emailing
claims information to
Hospitals business
associate vendors for a period of one year from
the date of incident
iii The functional manager
will ensure periodic
reminders of procedures
and policies at staff
meetings for a period middotaf
one year from the date of
incident
iv Hospital will include in its
annual 2015 privacy
CALIFORNIA DEPARTtv ENT awareness campaign
OF PUBLIC HEALTI- specific mention for
FEB 12 2015 employees to doubleshy
check the recipient in the
L ampC DIVISION To line of each email SAN JOSE
(X5) COMPlETE
DATE middotmiddot
~ ~middot middot
March 27
2014
March 27
2014
December
2014
snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11
PRINTED 11182014
FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED
CA070Q01349 B WING _________ c
10202014
I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE
LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304
SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE
TAG PREFIX PREFIXI
REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)
TAG
A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient
the Privacy
Council Health Information
(XS) COMPlETE
DATE
-
December
2014
CALIFORNIA DEPARTMENT or PUBLIC HEALTH
FEB 122015 Lamp C DIVISION S~JOSE
I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11