Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Scripps Mercy Hospital
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 7, 2012. Also cited in 72 other reports.
Report ID: O54G11.02, California Department of Public Health
Reported Entity: SCRIPPS MERCY HOSPITAL
Issue:
Based on interview and record review, the hospital failed to safeguard protected health information (PHI) from unauthorized persons in accordance with their policies and procedures, for 1 of 1 sampled patient (Patient 1). Findings:On 2/2/12 at 12:25 P.M., the hospital reported to the Department that an unauthorized disclosure of patient information occurred when a one page, two-sided "Group Intervention/Education Behavioral Health Unit" document, dated 4/1/10, belonging to Patient 1 was inadvertently included with Patient 2's (wrong patient) requested medical records. A review of Patient 1's medical record was conducted on 2/7/12 at 3:10 P.M. Patient 1 was admitted to the hospital on 3/18/10, per the facesheet. Patient 1's Group Intervention/Education Behavioral Health Unit document dated 4/1/10, contained the following confidential patient information: name, medical record number, account number, admission date, date of birth, physician name and whether or not Patient 1 attended the group intervention or education offered that day.An interview with the manager of health information management (HIM) was conducted on 2/7/12 at 3:30 P.M. The HIM manager stated that when medical records were requested, the chart was double-checked to ensure that all documents belonged to the correct patient and the patient's medical record, prior to being copied and issued to the requestor. He stated that the hospital's policy was to safeguard all confidential patient information and to follow procedures in place to ensure that the correct documents requested were copied and given to the authorized person(s).A review of the hospital's policy and procedure entitled "Health Information, Access, Use and Disclosures," effective date of 1/09, was conducted. The policy indicated that the hospital shall access, use and disclose, protected health information with authorization of the patient or legal representatives, and in accordance with mandated state and federal disclosure requirements. Per the same policy, it indicated that "All personnel providing services within the (hospital name) organization to include but not limited to employees, volunteers, physicians, Allied Health Professionals, students and contracted and affiliated business associates are responsible for: 1. Awareness of this policy and it's requirements for protecting patient health information from unauthorized access, use or disclosure." An interview with the Director of Risk Management (DRM) was conducted on 2/7/12 at 3:40 P.M. The DRM acknowledged that an unauthorized disclosure occurred when Patient 1's one page, two-sided Group Intervention/Education Behavioral Health Inpatient document dated 4/1/10, was found with Patient 2's requested medical records.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights