Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 17, 2014. Also cited in 55 other reports.
Report ID: B5PD11.01, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patients A, B, C, D, E, F,G, H, I and J, when a Telemetry RN inadvertently mixed eMars (electronic medication administration records) from Patients A through J in Patient K's chart when Patient K was transferred from Facility 1 to Facility 2. This resulted in an unauthorized disclosure of Patient A through J's PHI.Findings:On January 23, 2015 at 11:10 AM, an interview was conducted with the Telemetry RN (RN1) and the Risk Manager (RM) regarding an entity reported incident of a breach of PHI for Patients A, B, C, D, E, F, G, H, I and J, on July 20, 2014. RN 1 stated, Patient K's chart was printed on the only printer on the unit in preparation for Patient K to be transferred from (Facility 1) to (Facility 2). RN1 further stated they only have one printer on the unit which is used to print documents from many other computers. They always have to sort through the paper work on the printer to ensure that the correct documents are in the correct patient packets. RN 1 also stated the papers were sorted and several other patient's documents were found in Patient K's transfer packet. The papers were removed and placed in a pile next to Patient K's chart. The papers were then inadvertently scooped up and placed in Patient K's chart upon transfer, but is not certain how that happened.During a review of the documents transferred to Facility 2 from Facility 1, the PHI disclosed for Patients A through J included patient's name, account number, age, gender, physician name, and current medications listed on the eMar.In reviewing the documents received from Facility A, copies of certified letters dated August 11, 2014 sent to Patients A through J notifying them of the breach of their PHI were present.A review of the facility's policy and procedure titled, "Confidentiality Policy" dated 1/22/2014, indicated, "The employee will follow all (Facility A's) policies and procedures and the Standards of Conduct, and will take all precautions to prevent any intentional or unintentional use or disclosure of patient health information without the signed authorization of the patient."The facility failed to ensure that only Patient K's documents were included in the transfer packet when Patient K was transferred from Facility 1 to Facility 2, resulting in an unauthorized release of Patient's A through J's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights