Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Good Samaritan Hospital
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 13, 2015. Also cited in 21 other reports.
Report ID: Y4SL11.01, California Department of Public Health
Reported Entity: GOOD SAMARITAN HOSPITAL
Issue:
Based on interview and record review, the hospital failed to prevent the unauthorized disclosure of protected health information (PHI) for one patient (1), when a hospital staff member accessed Patient 1's electronic medical record without an authorization or a job related need. The failure resulted in the disclosure of Patient 1's PHI to an unauthorized individual. Findings:The California Department of Public Health received an online report on 10/7/14, which indicated a hospital employee accessed her family member's (Patient 1) medical record on 9/16/14. After an internal investigation, the hospital identified the infection control coordinator (ICC) had accessed Patient 1's medical record. ICC did not have a business related reason to access Patient 1's medical record nor was there an authorization for access. During an interview on 1/13/15 at 11 a.m., the facility privacy official (FPO) stated an audit report indicated ICC had accessed Patient 1's electronic medical record on 9/17/14 and again on 9/22/14. FPO stated ICC had accessed radiology reports, cardiac reports, and medications. FPO stated she had spoken with ICC's director on 10/3/14 who stated ICC did not have a job related reason to access Patient 1's medical record. FPO further stated there was no authorization from Patient 1 for ICC to access his medical record.During an interview on 1/13/15 at 11:40 a.m., ICC stated she had accessed Patient 1's medical record looking for test results, but the results were not there. ICC stated she believed it took two screens to get to where the test results should have been. ICC then stated after she accessed his medical record a second time, her director told ICC she should not be accessing Patient 1's medical record. ICC further stated she had not accessed Patient 1's medical record for job related reasons, as she was just curious about the test results.A review of a copy of a letter dated 10/7/14, from the hospital to Patient 1 indicated a staff member had accessed his medical records without a job related reason. Patient 1's personal information, all physician dictations, radiology reports, and cardiac reports had been disclosed.A review of a copy of a computer audit indicated ICC had accessed Patient 1's medical record on 9/17/14, accessing his summary reports, demographic data, and radiology reports, and again on 9/22/14 when she accessed his radiology reports, visit history, cardiology reports, medication orders history, care-area administrative data, and demographic data.A review of a copy of the hospital's 5/1/08 "Minimum Necessary" policy indicated only workforce members with a legitimate "need to know" may access patient information. Each workforce member may only access the minimum information necessary to perform his or her designated role. A review of a copy of the hospital's 4/7/10 "HIPAA - Protected Health Information For Employee's Family Members or Friends" policy indicated employees with access to protected health information of family members or friends must treat the patient's information as they would any other patient who is not known to them personally.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280