Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST BERNARDINE MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 19, 2014. Also cited in 41 other reports.
Report ID: ZPIG11.01, California Department of Public Health
Reported Entity: ST BERNARDINE MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of Protected Health Information (PHI) for Patient A when Patient A ' s Protected Health Information (PHI) was posted on Face Book (a social media) by a radiology technician (Tech 1) co-worker. This placed Patient A at risk for identity theft.Findings:During a phone interview on June 25, 2014 at 4:21 PM, with the Facility Privacy Officer (FPO), an investigation was initiated for an entity reported incident of a breach for PHI Patient A.The FPO stated on April 11, 2013, Tech 1 disclosed Patient A ' s PHI on a social media site: Face Book. During a review of the facility's Investigative report on June 24, 2014, Tech 1 verified she had disclosed on Face Book that Patient A who was also a co-worker had died.During a review of the facility's policy and procedure titled "Social Media Guidelines" dated January 17, 2012, the policy indicated "Never post confidential information or photos of a patient on the Internet, even if it does not include a patient's name. Never discuss confidential information in public forums, chat room, and text message or news group. Inappropriate posts of confidential information or photos can seriously damage [institution ' s name], reputation, and result in individual liability for the responsible person."A review of the facility's policy and procedure titled "Privacy Principles" dated January 17, 2012, indicated that "The privacy principles as described herein require that all Protected Health Information (PHI), as defined in the rules and regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), be maintained and secured in a manner required by the Act and other applicable federal and state laws."This failure of Tech 1 to protect Patient A's PHI by posting it on Face Book placed Patient A at risk for identity theft.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights