Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
NORTHBAY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 27, 2013. Also cited in 9 other reports.
Report ID: TM6J11.01, California Department of Public Health
Reported Entity: NORTHBAY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of three patients' (Patient 12, Patient 14, and Patient 15) medical information when: A) Patient 12's medical information was handed to a private individual; B) Patient 14's medical information was faxed to the wrong referral service; and C) Patient 6's medical information was handed to another patient. These failures allowed the unlawful or unauthorized access to protected health information.Findings:CA00324288The California Department of Public Health was notified on 9/4/12, that a, "Breach of Protected Health Information (PHI)," occurred in October, 2009.During an interview on 2/28/13 at 10 a.m., Administrative Staff A stated that, on 8/30/12, she was advised, by Supervisor K, that Patient 13 had called Supervisor K on 8/30/12. Patient 13 had just noticed that she had received (and never looked at), in October 2009, Patient 12's PHI, (dated 2003) which contained her name, gender, medical record number, date of birth, CAT scan results, diagnosis and two physicians' name.Administrative Staff A further stated that it was human error, on the part of Unlicensed Staff L, in that Patient 12's radiology record, from 2003, had been filed in Patient 13's file (due to similar Medical Record numbers), and when Patient 13 requested a copy of her radiology record on 10/5/09, she received Patient 12's PHI as well.The Department verified that Patient 13 (CA00324288) was notified, by mail, on 9/3/12, within the required timeframe.CA00325688The California Department of Public Health was notified on 9/14/12, that a, "Breach of Protected Health Information (PHI)," occurred on 8/27/12.During an interview on 2/28/13 at 9:30 a.m., Administrative Staff A stated that, on 8/27/12, Unlicensed Staff M faxed progress notes and laboratory results, which included name, gender, date of birth, age, medical record number, condition, and physician's name for Patient 14, to the wrong referral office instead of Patient 14's requested referral office, as they had similar names.Administrative Staff A also stated that Unlicensed Staff C did not follow policy and procedure to validate the address of Patient 14's requested referral office, before sending the fax.Administrative Staff A further stated that she was notified by Unlicensed Staff N, on 9/12/12, after she was notified by a clerk at the wrong referral office, on 9/11/12.The Department verified that Patient 14 (CA325688) was notified, by mail, on 9/14/12, within the required timeframe.CA00325693The California Department of Public Health was notified on 9/14/12, that a, "Breach of Protected Health Information (PHI)," occurred on 5/23/11.During an interview on 2/28/13 at 9 a.m., Administrative Staff A stated that, on 5/23/11, Unlicensed Staff O copied radiology results onto a compact disk (CD), for Patient 16, which actually had CAT scan results, name, physician's name, and diagnosis for Patient 15.Administrative Staff A also stated that Patient 16 did not realize the breach until 9/14/12, when she looked at the CD that had been copied on 5/23/11, and subsequently called Administrative Staff A.Administrative Staff A further stated that Unlicensed Staff O did not follow policy and procedure in not verifying the correct name and spelling of Patient 16, at the time the request was made.The Department verified that Patient 16 (CA00325693) was notified, by mail, on 9/14/12, within the required timeframe.A review of the facility Policy and Procedure for, "Notice of Privacy Practice" (9/11), indicated the following: #"I. POLICY...B. The Notice of Privacy Practices will inform individuals of the Uses and Disclosures of PHI that may be made by the facility and of the patient's rights and the facility's legal duties with respect to PHI. The facility will document and implement procedures to ensure internal processes that create, use or disclose PHI in compliance with The Notice of Privacy Practices.A review of the facility Policy and Procedure for, "Confidentiality of Patient Information" (4/12), indicated the following: #"I. PURPOSE: A. The facility acknowledges both a legal and ethical responsibility to provide patient confidentiality. Consequently, the indiscriminate or unauthorized review or disclosure of personal information, medical or otherwise, from any source regarding any patient is expressly prohibited."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280