Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST BERNARDINE MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 14, 2015. Also cited in 41 other reports.
Report ID: R5BP11, California Department of Public Health
Reported Entity: ST BERNARDINE MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of the protected health information (PHI) for Patient A. When RN 1 discharged Patient B to a private hospital with Patient A's medical record. This resulted in the unauthorized release of Patient A's PHI. Findings:During a phone interview on July 14, 2015 at 09:30 AM, with the Facility Compliance Professional (FCP), to investigate an entity reported incident on July 2, 2015, of a breach of PHI for Patient A, the FCP was asked when and how the facility was first made aware that a breach had occurred. The FCP stated he was made aware of the breach on June 15, 2015, and the incident was reported to California Department of Public Health (CDPH) on July 2, 2015. The FCP was asked what type of information was breached; he stated "I'm not sure of the full contents of the chart at this time." On July 17, 2015, during a second interview and return call to CDPH, the FCP was able to confirm the contents of the PHI breached and stated "The chart consisted of the history and physical, diagnosis, doctors' orders, medication administration record (MAR), nursing notes, and doctor's progress notes. On July 29, 2015, during an interview with RN 1, he stated he was the nurse assigned to Patient A the evening of June 15, 2015 when the breach occurred. RN 1 was asked how he gave Patient A's chart instead of Patient B's chart to the transport person. RN 1 stated, "At 11:00 PM, the transport person came to pick up the patient for transport to the receiving hospital, I handed the chart to her, and thought it was the correct chart I was handing to her." RN 1 was asked what was included in the chart upon transfer. "Included in the chart is usually, the history and physical, MAR, demographics, medication reconciliation, and labs. When asked when, and how did you know the breach occurred and what did you do to correct it, RN 1 stated, "At approximately 11:00 PM the charge nurse received a call from the receiving hospital letting us know they had received the wrong chart. I was given instruction by my supervisor to call the receiving hospital, to make sure they destroyed the chart,and at that time, the correct chart was faxed to the receiving hospital."A review of the facilities Policy and Procedures, titled, "Dignity Health Administrative, Policy and Procedure; Safeguarding PHI and Sensitive Information," indicated, "It is the policy of [name of facility] to provide appropriate access to its confidentiality and integrity. The [name of facility] shall implement reasonable and appropriate administrative, technical, and physical safeguards required by the Confidentiality and Date Classification policy #70.8.039..." A review of the facility's "Privacy & Data Security Employee Handbook,", indicates, "Only individuals with an authorized "need to know" should have access to patients protected health information. Protected Health Information (PHI) consists of all information created or received about an individual relating to their past, present and future physical or mental condition as well as all data that is related to the payment for the provision of health care."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights