Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
BAKERSFIELD MEMORIAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 10, 2011. Also cited in 18 other reports.
Report ID: 5LV111, California Department of Public Health
Reported Entity: BAKERSFIELD MEMORIAL HOSPITAL
Issue:
Based on interview and record review, the hospital failed to protect a patient's medical record, which contained protected health information, from an unauthorized person without the patient's consent. Findings:During an interview with the Director of Risk and Compliance (Dir Risk), on 10/11/11, at 11:50 AM, she stated: "Patient 1 called on 9/21/11 and reported that Staff 1 looked into his medical record after a visit on 3/13/11 to the emergency room." Investigation demonstrated that Staff 1 accessed Patient 1's medical record on 3/13/11. "Staff 1 is a hospital coder, but didn't code Patient 1's chart. She had no reason to access the record." During a review of the employee file for Staff 1, she had yearly training for Health Insurance Portability and Accountability Act (HIPAA) and was re-educated and tested on 9/28/11. During an interview with the Dir Risk, on 10/11/11, at 12:05 PM, she stated: "Patient 1 has left multiple messages...it's a personal problem between the two...he wants her (Staff 1) fired." The hospital report titled "Access by a Specific User/Patient" generated on 9/21/11 at 7:23 PM, indicated Staff 1 accessed Patient 1's medical record on 3/14/11 at 8:27 AM. The hospital HIPPA Memoranda Attestation Form regarding HIPAA Education-Privacy and Data Security indicates "PHI (Protected Health Information) cannot be accessed by an employee...unless you have a legitimate business purpose and to do your job." The hospital policy and procedure titled "Network Usage Policy" dated 12/18/09, indicated "G. Prohibited Uses of the Network: 6. Accessing or disclosing Confidential Information...that is not within the scope of the User's related duties and responsibilities..."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights