Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
DEPT OF STATE HOSPITALS - PATTON
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 14, 2014.
Report ID: L7TP11, California Department of Public Health
Reported Entity: DEPT OF STATE HOSPITALS - PATTON
Issue:
Based on interview and document review, the facility failed to ensure Patient A's (PHI) Personal Health Information was protected when a LVN student sneaked a camera phone on to the unit and took pictures of Patient A's medical records. This failure resulted in unauthorized access and breach to Patient A's medical records and demographic information. Findings:On October 14, 2014, a visit was made to the facility to investigate a breach of patient's PHI.An interview was conducted with the Privacy Officer and Director of Health Information on October 14, 2014, at 11:30 a.m. The Privacy Officer stated the incident occurred on October 8, 2014, at approximately 9 a.m. On October 9, 2014, at 11:45 a.m., the facility became aware of an incident in which photographs were taken of Patient A's medical records by a LVN student. The clinical instructor reported that during the 9:30 a.m. morning break, a student sneaked her cellular phone into a secured treatment area (Unit 12) and took pictures of Patient A's medical records. Three other students were present during the incident and reported it to their clinical instructor. The clinical instructor confronted the student. The student admitted to sneaking her phone onto the unit and taking pictures of the patient's records. It was reported that the student took at least three pictures of Patient A's medical and legal history. The Privacy Officer stated Patient A had not given permission to the LVN student to take pictures of her medical records. The Privacy Officer stated students were not allowed to bring phones onto the unit. The Privacy Officer provided copies of the medical records that the student took pictures of. A review of Patient A's records revealed the student took pictures of Patient A's complete Medical History and Physical Assessment which included demographic information, diagnoses, medications, family history, substance abuse history, surgical history, current illnesses, detailed review of systems along with his legal and penal code status. An interview was conducted with the Director of Staff Development on October 17, 2014, at 1:30 p.m. The Director of Staff Development stated the facility did not have a specific written policy and procedures addressing what students are allowed/not allowed to do while on the units, including use of cellular phones. However, with the Director of Staff Development stated that the rules and expectations were covered during an orientation training prior to being allowed on the unit. The Director of Staff Development stated that confidentiality of the patients' protective health information and contraband were discussed with the students. The Director of Staff Development stated examples of contraband, which included cellular phones, were given to the students. The Director of Staff Development stated they made it very clear that students were not allowed to bring and use cellular phones on the unit. The Director of Staff Development stated, "Unfortunately, this student decided not to follow the rules."The facility's policy and procedure titled, "Privacy & Confidentiality of Protected Health Information," was reviewed. The policy indicated the purpose of the directive was to outline the policies, procedures, and systems at Patton State Hospital (PSH) that provided guidance about privacy and confidentiality of Protected Health Information. "It is the policy of PSH to adhere to State confidentiality and privacy laws...PSH will take reasonable steps to safeguard PHI from intentional and unintentional misuse..." The policy indicated that Protected Health Information included, "demographic information collected from an individual, and created or received by a health care provider, that relates to the past, present, or future physical or mental health or condition of the individual, the provision of health care to an individual; and that identifies the individual..."Patient A's PHI was breached when a student failed to follow the facility's rules, sneaked her phone onto the unit, and used it to take pictures of Patient A's medical records.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280