Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 17, 2014. Also cited in 55 other reports.
Report ID: DCTB11.01, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patient A and Patient B when Employee 1 accidentally labeled Patient B's IV (Intravenous) bag with Patient A's label, and Patient A's IV bag with patient B's label. This resulted in an unauthorized disclosure of Patient A and Patient B's PHI.Finding:On December 23, 2014 at 8:00 AM, a phone interview was conducted with Employee 1 and the Risk Manager (RM) regarding an entity reported incident of a breach of PHI for Patient A and Patient B, detected on August 26, 2014. Employee 1 stated that she normally does not label plain IV bags with the patient label, which is what the hospital requires. She said she thought that having the patient name displayed on the IV bag when the patient is up and around is a HIPAA violation. But this one morning she decided to follow the hospital's direction and took Patient A and Patient B labels into the dark patient room. She thought that she had checked to see which label was in each hand and was sure she placed the correct label on each IV bag. During further interview, Employee 1 stated that during the next shift, a family member noticed the incorrect label and notified the staff. Employee 1 stated that she was told both IV bags were taken down, and new IV bags with correct patient labels were placed. Employee 1 also stated that during the daily Huddles, the process for labeling IV bags was reviewed with all staff. During the concurrent interview with Employee 1, the RM stated that the patient was notified by mail of the unauthorized disclosure of PHI. During a review of the documentation, the "Summary of Event" was reviewed which described the hospitals investigation.Employee 1 stated that the IV bag mislabeled was a plain solution. The patient label included patient's name, medical record number, account number, date of birth, date of admission and primary doctor for current visit.A copy of a certified letter dated August 29, 2014 addressed to Patient A was reviewed informing him of the disclosure of PHI.Employee 1's training documents were reviewed including; "Confidentiality Agreement Acknowledgement" signed and dated 4/14/2104, "General Orientation Verification" dated 4/14/2014, and "Education Transcripts" dated 2014.A review of the policy and procedure stipulated "Confidentiality Policy" dated 1/22/14 states; "The employee will follow all (Facility 1's) policies and procedures and the Standards of Conduct, and will take all precautions to prevent any intentional or unintentional use or disclosure of patient health information without the signed authorization of the patient.The facility failed to ensure the correct patient label was placed on the correct IV bag resulting in an unauthorized release of both Patient A and Patient B's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights