Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CONTRA COSTA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 20, 2013. Also cited in 103 other reports.
Report ID: LBD811, California Department of Public Health
Reported Entity: CONTRA COSTA REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review and policy review, the facility failed to ensure one Patient's (Patient 1) medical record was protected from unauthorized access when Patient 1's family member (Staff A), who was not involved in the patient's hospital care, accessed Patient 1's laboratory information against hospital policy and procedures.Findings:On 5/2/2013, the department received a faxed letter from the Compliance and Privacy Officer that an anonymous caller reported a "HIPAA" (Health Insurance Portability and Accountability Act" violation. The "HIPAA" Act, established mandatory regulations to ensure privacy and confidentially of patient health care information. The facility faxed letter, dated 5/2/13, indicated on 4/30/13, that the anonymous caller reported that they witnessed an employee (Staff A) access Patient 1's (Staff A' husband's) electronic medical health record.During an interview on 6/20/13 at 11:20 a.m., the Director of Inpatient Care Nursing, stated that the facility policy "Confidentiality of Patient/ Client Information" indicated that if staff were not taking care of the patient, than they should not have been accessing the record of that patient.During an interview on 6/20/13 at 11:50 a.m., the Health Services Compliance Officer and County Privacy Officer stated that the facility received a call through their compliance hot line, that Staff A looked in Patient 1's record without a "need to know", and also stated that they discovered through an electronic audit trail that there were 3 dates where Staff A accessed Patient 1's record. The dates were 12/18/12, 12/19/12 and 3/18/13.During a telephone interview on 7/2/13 at 10:55 a.m., the Personal Services Assistant 3, stated that Staff A, in December 2012, looked at multiple computer screens including Patient 1's laboratory values.On 7/2/13, review of the facility "Confidentiality of Patient/Client Information" policy, revised 6/11/11, indicated that each employee was responsible for keeping patient/client information confidential and that employees could not access, discuss or reveal any patient/client medical information without proper written authorization from the patient, except as required in the course of authorized business. The policy indicated that employees shall only have access to patient/client information as needed to carry out their specific job duties. The Policy indicated that "Under no circumstances" was it appropriate for employees to access a family member's medical records, electronic or otherwise, unless required to do so in the course of authorized business or in accordance with other duties.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280