Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SUTTER COAST HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 15, 2013. Also cited in 58 other reports.
Report ID: ES5H11, California Department of Public Health
Reported Entity: SUTTER COAST HOSPITAL
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of a patients' (Patient 1) medical information when Patient 1's PHI was handed to Patient 2's Representative. This failure allowed the unlawful or unauthorized access to Patient 1's medical information. Findings: The California Department of Public Health was notified on 8/14/13 that a, "Breach of Protected Health Information (PHI)", occurred on 8/9/13.During an interview on 8/15/13 at 10:30 a.m., Administrative Staff A stated that, he was notified by Supervisor B, on 8/9/13, that Patient 2's Representative had called and told her that he had been handed,on that day by Unlicensed Staff D, the medical record for Patient 1 instead of Patient 2.Administrative Staff A stated that, Patient 1's PHI included his name, medical record number, account number, date of visit, department seen in, home address, chief complaint, history of present illness, past medical history, allergies, social history, review of systems, physical exam, imaging results, laboratory results, diagnosis, caregiver name and physician name.Administrative Staff A further stated that there were two errors, in not following policy and procedure, when Unlicensed Staff C pulled the envelope containing medical records for Patient 1 in error, without double checking if they were for Patient 2, and handed them to Unlicensed Staff D who then gave them to Patient 2's Representative without checking the contents of the envelope to ensure that they were Patient 2's records.A review of the facility Policy and Procedure for, "OVERVIEW PRIVACY POLICIES UNDER HIPAA", (12/29/12), reveals the following: "I. POLICY: It is the policy of the facility to protect the privacy and security of patient information and to comply with applicable laws and regulations...III. GUIDELINES: ...B. Protected Health Information and Records: Protected Health Information (PHI) includes any information received, created or maintained by the facility in which the patient is or may reasonably be identified, regardless of whether the information is in oral, paper, or electronic form...C. Facility Privacy Policies and Procedures: The facility and its workforce members must comply with a number of state and federal laws and regulations. It is the responsibility of facility management to develop and distribute necessary privacy and security policies and procedures to guide the actions of its workforce...It is the responsibility of all facility workforce members to comply with the policies and procedures and to cooperate with facility management to identify and correct problems that may cause privacy or security breaches...G...7. Data Security Patients the right to expect that their information is collected, stored, and maintained in a reliable manner and that sufficient precautions are taken by the facility to prevent its misuse. It is the responsibility all facility workforce members to read the applicable security policies and comply with their provisions."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280