Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SHARP CHULA VISTA MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 3, 2014. Also cited in 46 other reports.
Report ID: FJDU11.01, California Department of Public Health
Reported Entity: SHARP CHULA VISTA MEDICAL CENTER
Issue:
Based on interview and document review the hospital failed to ensure that Patient 1's personal and protected health information (PHI) was kept confidential when a health care worker (HCW) accessed Patient 1's PHI without the direct need to know for medical diagnosis, or treatment. As a result of this failure, HCW had access to Patient 1's personal information. Findings:An onsite investigation of an entity reported privacy breach was initiated on 11/25/13. It was reported to the California Department of Public Health that, on 11/19/13 an unauthorized and intentional disclosure of Patient 1's PHI was accessed by a hospital health care worker without the direct need to know.On 1/3/14 at 2:40 P.M., an interview was conducted with the Manager of Patient Relations/Risk Management (MRM). The MRM stated that random audits are done to check for employees that access PHI without the need to know. The audit log done on 11/19/13 revealed that HCW had accessed his spouse's (Patient 1's) medical record in multiple different areas of the hospitals electronic medical record (EMR) on 10/21/13 starting at 9:45 A.M. thru 9:51 A.M. On 1/3/14 at 3:16 P.M., an interview was conducted with the Manager of Labor and Delivery (MLD). MLD stated when she and Human Resources got the audit log that they spoke to HCW. HCW told MLD that she only accessed her own record to change her home address. On 1/3/14 at 4:16 P.M., an interview was conducted with HCW. HCW stated that she did not recall accessing her spouses (Patient 1) medical record. HCW stated that Patient 1 has not been a patient since 1993 so there would be no reason to access the record.A review of HCW's employee file was conducted with MLD. HCW's job description was reviewed and indicated "Confidentiality and Non-Disclosure Agreement", indicated "I will not misuse confidential information and will only access information necessary to do my job..." HCW signed and dated 6/18/07, which indicated he had read and understood the job description. HWC had completed the hospital's annual required HIPAA training on 10/15/13. The hospital's policy and procedure titled "Health Information-Access, Use, and Disclosure", dated 9/14, indicated "H. Workforce access to personal, electronic own records: 3. Permission to view one's own medical record does not entail any permission to modify, amend, add-to or subtract-from the information that is accessed..."The hospital's policy and procedure titled "Confidentiality of information," dated 8/12, indicated "I. Unauthorized Use or Viewing of Sensitive Information. Viewing or obtaining sensitive information not needed for an assigned or professionally appropriate task... constitutes a violation of confidentiality. Individuals may not: 1. Allow or participate in access, use or disclosure of sensitive information not needed for their job. This includes, but is not limited to, information belonging to other employees, co-workers, family or friends..." This policy was not followed when HCW accessed her spouses (Patient 1) medical record without the direct need to know for medical diagnosis, or treatment. This was also in violation of the patient's right to confidentiality of all communications and record pertaining to health care received at the hospital.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights