STANFORD HOSPITAL

Report ID: RPSO11, California Department of Public Health

Reported Entity: STANFORD HEALTH CARE

Issue:

Based on interview and record review the hospital failed to maintain confidential medical treatment for 17 of 17 sampled patients. Findings:During an entity reported incident investigation conducted on 1/10/12, the privacy and compliance officer stated a hospital physician misplaced her personal mobile telephone on 10/21/11. The physician's mobile telephone contained e-mail messages exposing medical information for 17 hospital patients. The medical information for each patient included the patient's name, age, medical record number, and medical history and treatment. The privacy and compliance officer further disclosed the physician failed to implement the hospital's policy and procedures by not activating a password and encryption security system on her mobile phone. The hospital was made aware of the potential privacy breach on 10/24/11 and reported it to the Department on 10/28/11.On 1/10/12 at 12 p.m. a review of the e-mails retrieved by the physician's mobile telephone was conducted. The e-mails contained patient names, age, and medical histories and treatments. On 1/13/12 at 8 a.m. a review of the hospital's policy and procedures for "Mobile Phone/ PDA Security Standard" dated 12/17/08 was conducted and it indicated the following; "Any personally owned mobile Phone/PDA authorized for business use must comply with all security requirements". The hospital's policy and procedure further indicated a password and encryption security system was required for any mobile phone device authorized for business use.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights