Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
DOCTORS MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 10, 2012. Also cited in 64 other reports.
Report ID: GJM211.01, California Department of Public Health
Reported Entity: DOCTORS MEDICAL CENTER
Issue:
These requirements were not met as evidenced by:Based on staff interviews and review of facility documents, the facility failed to prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information, when a facility employee (Patient A) was admitted to the coronary care unit (CCU) and a coworker (critical care technician) in the intensive care unit (ICU) accessed her medical record without authorization or cause. Additionally, the facility failed to report an incident of unauthorized disclosure of a patient's medical information to the Department within 5 calendar days.Findings:1. On 2/10/12 at 9:55 a.m., the facility's investigation of the incident was reviewed with the Compliance Officer (CO). A review of the investigation showed that a day shift ICU unit clerk (Patient A) was admitted to the facility on 10/14/09, to a general medical bed and then was subsequently transferred to the CCU. Per the investigation on 10/15/09, ICU staff were aware that Patient A was in CCU and were discussing her case. During that time it was discovered that a critical care technician (CCT) on-duty in the ICU had accessed Patient A's chart without authorization. On 2/10/12 at 10:15 a.m., the CO was asked what the CCT stated was the reason he accessed Patient A's medical record and she stated, "He wanted to know where she was." The CO was asked what documents the CCT had accessed and she stated the vital signs sheets and the nurse's notes. The CO was asked how the CCT was able to access Patient A's record and she stated all clinical staff can access all in-house records regardless of their assigned area. On 2/10/12 at 10:35 a.m., the facility's Health Information Management (HIM) Director and the Clinical Supervisor for Informations Systems (CSIS) were interviewed in the presence of the CO. The HIM stated that they run random computer safety entries every month. The CSIS produced an audit form that showed entries for Patient A's medical record. The form was not dated; however, the CSIS stated that it was run the next day (10/16/09) after the ICU Department Manager (DM) had requested a review of Patient A's entries for 10/15/09. The form showed that the CCT had accessed Patient A's medical record. On 2/10/12 at 11:10 a.m., the DM was interviewed via the telephone in the CO's office. The DM stated that he had interviewed the CCT about the unauthorized access. The DM stated that Patient A was the ex-wife of the CCT and he had told the DM that he had accessed her chart to find out what room she was in. The DM stated that both Patient A and the CCT worked in the ICU but on opposite shifts. The DM was asked if he was aware that the CCT had also accessed Patient A's vital signs and nurse's notes and he stated, "No." On 2/16/12 at 5:59 a.m., the CCT was interviewed via the telephone. The CCT was asked to explain his job role and he stated that his role was basically that of an orderly. The CCT stated that he had come on duty 10/15/09 and was told by other ICU staff that Patient A was very ill. The CCT was asked what he had accessed and he stated that he went onto the computer and obtained her room number and then got out of her record. The CCT was asked to explain why he had accessed the vital signs sheet and nurses' notes and he stated that when he, "clicked on Patient A's name, the forms automatically came onto the screen, but he did not intentionally access them. The CCT was asked if his access of Patient A's medical record was allowable based on the facility's health information privacy policy and he stated, "No." On 2/16/10 at 8:10 a.m., the DM was re-interviewed via the telephone about the CCT's role in ICU and the DM stated that the CCT has limited access such as lab tests, vital signs and order entry. The DM stated that the CCT can function as a unit secretary when needed. On 2/21/12 at 9:35 a.m., an e-mail was received from the CO and explained that the CO and CSIS had collaborated to a response to the follow-up phone message. Per the e-mail, the CCT had access to use any computer in the ICU to enter orders and other duties as indicated by his job position. The e-mail indicated that there were two versions that the CCT could access for these duties. One version was called "Legacy" and the other was called, "HED." Both the "Legacy" and "HED" version would show a patient's name and unit and you would have to click on the patient name to access any other information. Upon review of the audit form, the CCT had accessed the "HED" version. The e-mail indicated that if you clicked on a patient in the "HED" version, the screen that automatically comes up is the vital sign screen, which would allow staff to chart vital signs, input and output and activities of daily living. The e-mail indicated that in the "HED" mode, a user could access any charting documents by any care giver. On 2/21/12 at 11:05 a.m., a follow-up interview to the CO was conducted via the telephone. The CO was asked if the vital sign screen was part of the CCT's job role and she stated, "Yes." The CO was asked if the CCT's access of Patient A's nurse's notes were also part of his role and she stated, "No." The CO was asked that if the CCT accessed the version that automatically brought up the vital sign sheet, would the CCT have had to additionally access Patient A's nurse's notes in order to read them and she stated, "Yes."2. On 2/10/12 at 1:00 p.m., the facility's investigation of the incident was reviewed with the CO. The facility discovered that a critical care technician (CCT) on-duty in the ICU had accessed Patient A's chart without authorization. The facility became aware of the incident on 10/15/09 and the Department received a notification by mail on 11/4/09 (15 days after the required report within 5 calendar days of detection). On 2/10/12 at 1:45 p.m., the facility's CO was asked if they were aware of the 5-day reporting component and she stated, "Yes, but during that time all of the incidents were sent to their corporate headquarters for review prior to reporting."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280