Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SAINT AGNES MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 1, 2012. Also cited in 16 other reports.
Report ID: RW9211, California Department of Public Health
Reported Entity: SAINT AGNES MEDICAL CENTER
Issue:
Based on staff interview, clinical record review and administrative document review the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 2's laboratory results were faxed to a private individual's fax machine.2. Patient 3's billing statement was sent to the wrong patient's home.3. During discharge Patient 4's insurance and demographic information was given to another patient.4. Patient 5's medical records were given to the wrong patient.5. Patient 8's medical records were given to the wrong patient.These failures placed Patient 2, Patient 3, Patient 4, Patient 5, and Patient 8's PHI at a potential risk for unauthorized use.Findings:Refer to CA003431171. On 3/25/13 at 1:17 p.m., Compliance Coordinator stated the laboratory results were faxed to the wrong patient. She stated the information included: Patient 2's lab results, which included account number, date of birth, and gender.On 5/23/13 at 9:30 a.m., Compliance Coordinator stated that the home health agency that had requested the laboratory tests to be analyzed gave the wrong fax number for the results.The review of the clinical information provided was reviewed. The information breached included: Patient 2's name, date of birth, gender, home phone number, home address, personal and attending physician's names, the account number, the index codes for the patient's diagnoses, the patient's intake information for the laboratory tests to be done and the results of the tests ordered.The facility policy and procedure titled Privacy and Confidentiality Policy effective date 9/17/09 indicated: "Each...employee has a personal responsibility to protect both the privacy and confidentiality of that information.Refer to CA003396482. On 1/24/13 at 3:20 p.m. the Compliance Coordinator stated they were notified that Patient 3's billing statement was sent to the wrong address when the wrong guarantor was added to the file. On 5/23/13 at 9:33 a.m., the Compliance Coordinator stated the information gathered was written and then at a later time entered into the electronic system incorrectly.Review of the patient's clinical billing information showed what was breached was the patient name, account number, discharge date, and the amount of the bill. The facility policy and procedure titled Privacy and Confidentiality Policy effective date 9/17/09 indicated: under the section Modes and Methods of Communications: "The sender of the information must ensure that only the intended recipient(s) will have access to the information. Particular care must be taken when sending confidential information electronically, such as computers, fax machines, electronic mail, or voice mail.Refer to CA003453823. On 3/25/13 at 1:11 p.m. the Compliance Coordinator stated Patient 4's insurance and demographic information was given to another patient.On 5/23/13 at 9:35 a.m., the Compliance Coordinator stated during the hospital discharge process two patients records were printed out at the same time. The papers were combined and both sets given to one patient. Review of Patient 4's clinical record indicated the information breached was name, date of birth, gender, social security number, medical record number, diagnosis, attending physician, home address, home phone number, next of kin, employment status and insurance name and number.The facility policy and procedure titled Privacy and Confidentiality Policy effective date 9/17/09 indicated: "Each...employee has a personal responsibility to protect both the privacy and confidentiality of that information.Refer to CA003438054. On 3/25/13 at 1:30 p.m. Compliance Coordinator stated two patients had similar first names.On 5/23/13 at 9:40 a.m. Compliance Coordinator stated both patients had requested a copy of their medical records. Both records were placed into one packet and the packet was given to Patient 6.A review Patient 5's record was conducted. The information breached included: patient name, medical record number, date of birth, gender, admission and discharge dates, account number, attending and ordering physicians, radiology report results, MRI results, laboratory results, echocardiogram results, telemetry notes, and vascular report with height and weight.The facility policy and procedure titled Privacy and Confidentiality Policy effective date 9/17/09 indicated: "Each...employee has a personal responsibility to protect both the privacy and confidentiality of that information.Refer to CA003257695. On 10/1/012 at 2:15 p.m. Risk Management Officer stated that two patient records were in a tray and staff only reviewed the top of the stack for accuracy. Patient 8's records were combined with Patient 9's records and the envelope was given to Patient 9. Patient 8's records were reviewed. The following information was breached: patient name, account number, birthdate, admission date, home address, spouse, employment status, diagnosis, attending physician, primary physician, social security number, and spouse's social security number.The facility policy and procedure titled Privacy and Confidentiality Policy effective date 9/17/09 indicated: "Each...employee has a personal responsibility to protect both the privacy and confidentiality of that information.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights