Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SHARP CHULA VISTA MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 7, 2013. Also cited in 46 other reports.
Report ID: 06DR11.01, California Department of Public Health
Reported Entity: SHARP CHULA VISTA MEDICAL CENTER
Issue:
Based on interview, document and record review the hospital failed to ensure that Patient 1's personal and protected health information (PHI) was kept confidential and not accessed by another health care worker without Patient 1's prior authorization.Findings:An on site investigation of an entity reported privacy breach was initiated on 8/7/13. It was reported to the California Department of Public Health that, on 7/10/13, Patient 1's inpatient electronic medical record was viewed by another health care worker (Pharm 1) without Patient 1's prior authorization.Patient 1 was admitted to the hospital on 7/10/13 for surgical treatment of endometriosis of the bowel and rectum (a female health disorder that occurs when cells from the lining of the uterus grow in other areas of the body causing pain and irregular bleeding) according to the Admission History and Physical.An interview was conducted with the hospital's Chief Nursing Officer (CNO) on 11/15/13 at 3:30 P.M. The CNO stated that Patient 1 and Pharm1 are "friends outside of the hospital". Both Patient 1 and Pharm 1 are pharmacists working at the hospital. The CNO further explained that Pharm 1 accessed Patient 1's electronic medical record to obtain her inpatient hospital room number. When he did so, Pharm 1 also had a view of Patient 1's Data Sheet. Patient 1's Data Sheet contained the following personal and PHI:1. Patient's Name2. Age3. Date of Birth4. Sex5. Hospital Location6. Account Number7. Medical Record Number8. Allergies9. Reason for Hospitalization10. Advance Directive Information11. Code StatusOn 11/20/13 at 3:20 P.M., an interview was conducted with Pharm 1. Pharm 1 stated that, on 7/10/13, he was working in the hospital's outpatient pharmacy. Patient 1's husband came in to the outpatient pharmacy and asked Pharm 1 if his wife was out of surgery yet. Pharm 1 told Patient 1's husband that he would check for him. Pharm 1 accessed Patient 1's data Sheet in her electronic medical record to obtain her hospital room number. Patient 1's room number was located on her inpatient Data Sheet that contained her personal and PHI listed above.A review of the hospital's policy and procedure, entitled "Confidentiality of Information" and dated 8/12, indicated that "Safeguarding of Information: Sensitive information collected and/or generated within [name of hospital] shall be maintained in such a manner that access to it is restricted to those with a need to know. Information will be restricted to those with a legal right under authorization, those participating in treatment, payment, healthcare operations and as mandated by state and federal laws in accordance with [name of hospital] policies."During the interview with Pharm 1, Pharm 1 acknowledged that he was not following hospital policy and procedure because he did not have a "need to know" regarding Patient 1's personal and protected health information.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights