Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SUTTER COAST HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 20, 2013. Also cited in 58 other reports.
Report ID: 9UP111, California Department of Public Health
Reported Entity: SUTTER COAST HOSPITAL
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of a patients' (Patient 1) medical information when Patient 1's After Visit Summary (AVS) was handed to Patient 2. This failure allowed the unlawful or unauthorized access to Patient 1's medical information. Findings: The California Department of Public Health was notified on 6/19/13 that a, "Breach of Protected Health Information (PHI)", occurred on 6/8/13.During an interview on 6/20/13 at 9:30 a.m., Administrative Staff A stated that, on 6/17/13, he was notified by Licensed Staff C that she had been contacted by Patient 2's family, who complained that Patient 2 had received the wrong paperwork. The paperwork consisted of Patient 1's Emergency Department (ED) After Visit Summary (AVS) that Patient 2 had received on 6/8/13 after a visit to the ED.Administrative Staff A also stated that the breach occurred on 6/8/13 when Licensed Staff B handed out Patient 1's AVS in error . Patient 1's PHI included her name, medical record number, weigh, date of birth, reason for visit, provider name, department seen in, reason for visit, diagnoses, medication list, and allergies.Administrative Staff A further stated that it was an error, in not following policy and procedure, when Licensed Staff B handed Patient 2 the AVS, for Patient 1, without double checking Patient 2's identity and comparing it to the AVS sheet. A review of the facility Policy and Procedure for, "OVERVIEW PRIVACY POLICIES UNDER HIPAA", (12/29/12), reveals the following: "I. POLICY: It is the policy of the facility to protect the privacy and security of patient information and to comply with applicable laws and regulations...III. GUIDELINES: ...B. Protected Health Information and Records: Protected Health Information (PHI) includes any information received, created or maintained by the facility in which the patient is or may reasonably be identified, regardless of whether the information is in oral, paper, or electronic form...C. Facility Privacy Policies and Procedures: The facility and its workforce members must comply with a number of state and federal laws and regulations. It is the responsibility of facility management to develop and distribute necessary privacy and security policies and procedures to guide the actions of its workforce...It is the responsibility of all facility workforce members to comply with the policies and procedures and to cooperate with facility management to identify and correct problems that may cause privacy or security breaches...G...7. Data Security Patients the right to expect that their information is collected, stored, and maintained in a reliable manner and that sufficient precautions are taken by the facility to prevent its misuse. It is the responsibility all facility workforce members to read the applicable security policies and comply with their provisions."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280