Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST BERNARDINE MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 31, 2013. Also cited in 41 other reports.
Report ID: NZJC11.01, California Department of Public Health
Reported Entity: ST BERNARDINE MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patient A, when attempting to print Patient A's medical record, inadvertently faxed it to a medical clinic, unassociated with the facility. This breach of Patient A's PHI placed the patient at risk for identity theft. FINDINGS:On February 26, 2013, at 10:00 AM, during a visit to the facility, an interview was conducted with the facility privacy officer (FPO) to investigate an entity reported incident of a possible breach of Patient A's PHI. On July 31, 2013, a review was conducted of the entity reported incident. The Facility investigation was also reviewed which revealed that on November 8, 2012, the facility was notified by a pain management clinic, that Patient A's PHI had been faxed to their clinic, from this facility, which was unknown to the pain clinic. The facility investigation further revealed that Employee 1, a temporary agency collector, had chosen the default printer to print Patient A's PHI, intending to redact (black out identifying data) the PHI, in preparation for faxing. Nothing printed on Employee 1's printer. Thinking Patient A's medical record was printing to another printer within the facility she hit the only other print button on her printer, which caused Patient A's PHI to be faxed outside the facility, to the pain clinic. The clinic immediately called the facility notifying them that they had received Patient A's PHI. The facility asked the clinic to fax the PHI back to the facility for further investigation and to destroy the PHI, which they did. Patient A's PHI which was faxed in error to an unauthorized, unintended pain clinic included the following: Patient A's name, date of birth, social security number, driver ' s license number. age, address, relative name, address and phone number, Insurance ID #, group # and plan code, insurance benefit coverage details, ordering physician name, diagnosis, past medical history, current medical condition, medications, labs ordered and results, allergies, facility name, date of discharge, medical record number, encounter number, sex, and marital status.On August 14, 2012 at 12:11 PM, a phone interview was conducted with FPO, who confirmed the incident. She stated that when facility Information Technology Services (IT) had set up Employee 1's printer, they had made an error in the configuration of her printer. Employee 1's "default" button on her printer did not work, so Employee 1's chose the only other "print" button on her printer, believing that Patient A's medical record was printing in a different location in the facility. It actually faxed to an outside pain management clinic. She further stated that IT, "should have tested their work to determine if the configuration they had input was correct." The Facility failed to protect patient rights regarding maintaining the privacy and confidentiality of Patient A's (PHI), which resulted in Patient A's being placed at risk of identity theft, when a fax containing Patient A's PHI was faxed to an outside pain clinic without authorization.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights