Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SANTA CLARA VALLEY MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 7, 2014. Also cited in 90 other reports.
Report ID: X6O111.02, California Department of Public Health
Reported Entity: SANTA CLARA VALLEY MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to provide confidential treatment of medical records for one of two sampled patients (1), when a hospital staff member intentionally accessed Patient 1's medical record without a business need or authorization. This failure resulted in the disclosure of Patient 1's Personal Health Information (PHI) to an unauthorized individual. Findings:The California Department of Public Health received a faxed report on 2/19/14, which indicated, on 2/13/14, Patient 1 called the hospital and stated a medical assistant (MA A) had accessed Patient 1's medical record and retrieved her telephone number. After an internal investigation which included a computer audit, the hospital identified MA A had accessed Patient 1's medical record on 11/7/11. MA A had not cared for Patient 1, nor had a business related reason to access Patient 1's medical records. During an interview on 10/6/14 at 11:30 a.m., the compliance and privacy officer (CPO) stated MA A and Patient 1 had a personal conflict for many years. CPO stated Patient 1 believed MA A retrieved her telephone number and had harassed Patient 1 with many telephone calls. CPO stated MA A and Patient 1 had many altercations and they had called each other and antagonized each other over the telephone. CPO stated MA A had told her, she had retrieved Patient 1's telephone number from a third party and not through the hospital system. CPO stated an audit indicated MA A had accessed Patient 1's medical record on 11/7/11 which disclosed Patient 1's demographics, but no Patient Health Information (PHI) was disclosed. CPO stated MA A had stated she did not have a business related reason to access Patient 1's medical record. CPO stated MA A's manager had stated there was no business reason for MA A to access Patient 1's medical record. During an interview on 10/7/14 at 1:45 p.m., MA A stated she obtained Patient 1's telephone number from a third party. MA A stated she had accessed Patient 1's medical record, about three years ago, to see if Patient 1 had an appointment in the office where MA A works, to try to avoid her. MA A stated she did not see any appointments, only demographics information.A review of a copy of the computer audit indicated MA A had accessed Patient 1's medical record once on 11/7/11. MA A accessed Patient 1's demographics page which disclosed Patient 1's name, address, telephone number, medical record number, birth date, sex, and mother's maiden name, but no PHI was disclosed.A review of a copy of a letter sent on 2/19/14 from the hospital to Patient 1 indicated, on 2/13/14, the hospital had determined MA A had accessed Patient 1's medical record and the hospital was investigating what information had been retrieved.A review of the hospital's 12/27/13 "Workforce General Obligations Regarding Uses and Disclosures of Protected Health Information" policy indicated the hospital must ensure that all workforce members take reasonable steps to safeguard PHI/ePHI (electronic PHI) from any intentional or unintentional access that is in violation of hospital policy.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights