Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
MARIN GENERAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 18, 2012. Also cited in 63 other reports.
Report ID: JEWV11, California Department of Public Health
Reported Entity: MARIN GENERAL HOSPITAL
Issue:
Based on staff Interview and record and policy review, the facility failed to ensure one patient's private health information was protected from unauthorized access when the patient's mammogram results were sent to another patient. This resulted in the disclosure of personal health information, without the patient's permission, to unauthorized persons.Findings:On 5/8/12 at 12:07 p.m., the department received a telephone call from the facility who reported that a patient called them on 5/3/12, notifying them that they received another patient's mammogram report (cancer screening radiological test), dated 4/24/12, through the mail with their report.On 6/19/12, review of the facility form "Breach Notification Assessment Tool" dated 5/3/12, indicated that the lead Radiology Supply Associate received a call from a patient. The patient informed the Radiology Supply Associate, that she received her mammogram report plus the report of another patient. The assessment tool indicated that there was an unintentional error when staff placed two reports in one envelope.During a telephone interview on 11/30/12 at 2:10 p.m., the Facility Compliance Officer stated that the error occurred when two reports were folded at the same time and were placed in the same envelope and now staff make sure the reports are folded separately.On 11/30/12, review of the facility "Privacy Policies under HIPAA"(Health Insurance Portability and Accountability Act) revised 4/10, indicated that it was the policy of the facility to protect the patients rights of privacy, confidentiality and security of their personal health information (PHI). The Policy indicated that PHI was used or disclosed only for authorized purposes and that staff should not disclose information about a patient unless they have explicit authorization to do so. Staff should exercise care in how they communicate patient information and how and where they keep patient information to reduce the likelihood that it is exposed to unauthorized persons. The Policy indicated that patients have the right to expect that their information is collected, stored, and maintained in a reliable manner and that sufficient precautions are taken by staff to prevent its misuse.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280