Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SUTTER SANTA ROSA REGIONAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 31, 2012. Also cited in 15 other reports.
Report ID: JD3H11, California Department of Public Health
Reported Entity: SUTTER SANTA ROSA REGIONAL HOSPITAL
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of two patients' (Patient 1 and Patient 3) protected health information, when: A) Some of Patient 1's medical information was faxed to another patient (Patient 2) and B) Some of Patient 3's medical information was faxed to still another patient (Patient 4). These failures allowed the unlawful or unauthorized access of protected health information.Findings:A) (CA00316823)The California Department of Public Health was notified on 7/6/12 that a, "Breach of Protected Health Information (PHI)", occurred on 6/29/12.During an interview on 10/31/12 at 1:30 p.m., Administrative Staff A stated that she received a phone call, from Licensed Staff C, on 7/2/12, that Patient 2 had received a faxed copy of Patient 1's electrocardiogram (EKG), on 6/29/12, which had been requested by Physician B and that Patient 2 had called the nurses station of the Cardiac Telemetry Unit (CTU) to report the error.Administrative Staff A further stated that it was human error, on the part of Physician B, in that he gave the wrong fax number to the Cardiac Telemetry Unit, on 6/29/12, when he requested a copy of the EKG for Patient 1 and that Physician B realized his mistake when he went to his office fax machine and noted a different fax number other that the one he had given out. Subsequently Physician B called the Cardiac Telemetry Unit and gave them the right number. B) CA00323460The California Department of Public Health was notified on 8/27/12 that a, "Breach of Protected Health Information (PHI)", occurred on 8/22/12.During an interview on 10/31/12 at 2 p.m., Administrative Staff A stated that she received an e-mail notification, on 8/22/12 from the radiology department, indicating that an electroencephalogram (EEG), requested by Physician E on 8/22/12, had been sent in error to Patient 4's fax instead of Physician E's fax. Patient 3's Family had called the radiology department on 8/22/12 and left a message notifying them of the breach, after Patient 4 called Patient 3's Family. Administrative Staff A also stated that it was human error, on the part of Administrative Staff D, in that he programmed the wrong fax number into the radiology auto-fax machine. Physician E's fax number ended in #6 and the fax number programmed into the auto-fax machine ended in #7.A review of the facility Policy and Procedure for, "Confidentiality of Patient Care Information", (10/10), reveals the following: "I. POLICY Persons receiving health care services have the right to expect that the confidentiality of individually identifiable medical information will be reasonably preserved. Information regarding the hospital's patients' medical or personal status will not be released or disclosed inappropriately...III. APPLICATION OF POLICY A. All patient-related information is confidential. It will be shared only with those persons that have a legal right (i.e. the patient or the patient's surrogate) or a legitimate work-related need to know".
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280