Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 17, 2014. Also cited in 55 other reports.
Report ID: TD1711.01, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI) when Employee 1 inadvertently gave Patient B Patient A's dietary tray, which resulted in an unauthorized disclosure of Patient A's PHI.Findings; On December 15, 2014 at 10:30 AM, a phone interview was conducted with Employee 2 and the Risk Manager (RM), regarding an entity reported incident of a breach of PHI for Patient A, detected on May 23, 2014. During an interview with the RM, she stated that Employee 1 was on Leave of Absence (LOA) and did not know when the Employee would return to work. During an interview with Employee 2, she stated that she received a call on Volcera (a staff communication device) on May 23, 2015 asking her to go to a certain room number. She further stated that she was caring for a critical patient at the time, but went to the room as soon as possible.Employee 2 stated when she got there, Employee 1 told her that she accidentally gave Patient A's food tray to Patient B. She stated that Employee 1 stated to her that Patient B's visitor noticed the incorrect patient name on the tray and alerted Employee 1 who then removed the tray and corrected the error. During further interview with Employee 2, she stated that normally the Dietary Department passes dietary trays except when the patient is on isolation, then nursing staff deliver the trays to the patient. Employee 2 stated she reminded Employee 1 to always use 2 patient identifiers when passing trays. Employee 2 stated patient verification includes looking at the patient ID band and asking them their birthdate.During a concurrent interview with Employee 2 and the RM, the RM stated she notified Patient A by phone on May 29, 2014. A review of " Patient Notification of an Adverse Event" was present and dated May 29, 2014. During a review of the documentation a copy of a dietary slip was reviewed. The PHI disclosed were first initial, last name, and DOB.A copy of Employee 1's educational documents were reviewed as follows; Date of hire, Acknowledgment and Confidentiality Form dated 8/1/00, HIPAA Compliance dated 7/09/09, General Orientation documents dated 8/17/00, and Educational Transcripts dated 2014, which included HIPAA education.A review of the facility's policy and procedure titled "Confidentiality Policy" dated 1/22/14 reflects, "The employee will follow all (Facility 1's) policies and procedures and the Standards of Conduct, and will take all precautions to prevent any intentional or unintentional use or disclosure of patient health information without the signed authorization of the patient".The facility failed to ensure the correct patient received the correct dietary tray resulting in in an unauthorized release of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights