Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF THE MONTEREY PENINSULA
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 13, 2015. Also cited in 24 other reports.
Report ID: L3SZ11, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF THE MONTEREY PENINSULA
Issue:
Based on interview and record review, the hospital failed to prevent the unauthorized disclosure of protected health information (PHI) for 20 patients (1-20), when registered nurse A (RN A) intentionally accessed the medical records of 20 patients without authorization or a job related reason. This failure resulted in unauthorized access of 20 patients' medical records. Findings:The California Department of Public Health received an online report on 8/5/14, which indicated an internal investigation conducted in the course of an investigation of a clinical matter by the hospital identified RN A had accessed 20 patients' medical records. RN A had not cared for the affected patients, nor had a business related reason to access their medical records. The 20 medical records accessed disclosed patients' names, dates of birth, admission dates, treating physicians, diagnoses, medical record numbers, and treatment orders. During an interview on 2/13/15 at 12 p.m., the privacy officer (PO) stated the director of Main Pavilion (DMP) suspected RN A was accessing medical records without authorization. PO stated an audit on 7/28/14 had confirmed RN A accessed 20 patients' medical records. All the records disclosed the affected patients' diagnoses, and RN A had accessed 19 of the 20 patients' treatment orders. PO stated RN A was working in a different part of the hospital from where the affected patients were and she had no job related need to access the 20 medical records. PO further stated RN A was terminated on 8/6/14.During an interview on 3/13/15 at 1 p.m., DMP stated PO had asked her if RN A had a reason to access the affected patients' medical records. DMP stated the medical records were not for any of RN A's patients. Those patients were from other floors where RN A was not assigned to work.Several attempts were made to interview RN A on 3/13/15 without success.Review of a copy of a letter dated 8/5/14 from the hospital to the affected patients indicated RN A had accessed the patient's medical record without authorization which had disclosed the patient's name, date of birth, admitting date and diagnosis, treating physician, medical record number, and treatment orders.Review of a copy of an internal email from PO confirmed an audit indicated RN A had accessed 20 patients' medical records on 7/28/14 which disclosed the affected patients' names, treating physicians, admission dates, diagnoses, treatment orders (except for one patient), code status, medical record and visit numbers, and dates of birth.Review of a copy of the audit report indicated on 7/28/14 from 1:11 p.m. till 1:16 p.m. RN A had accessed the medical records for 20 patients, who were in a different section of the hospital from where she was working. Review of a copy of the hospital's 03/2012 "Confidentiality of Patient and Hospital Business Information" policy indicated everyone is expected to treat patient information in a confidential manner. Such information should never be viewed for reasons of personal interest or for reasons outside the employee's responsibilities.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280