Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Scripps Mercy Hospital
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on September 6, 2012. Also cited in 72 other reports.
Report ID: SVIQ11.02, California Department of Public Health
Reported Entity: SCRIPPS MERCY HOSPITAL
Issue:
Based on interview and record review, the hospital failed to safeguard protected health information (PHI- is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual) from unauthorized person(s) in accordance with their policies and procedures, for all patients. A total of 68 documents containing confidential patient information on 68 patients were stolen, when a Registered Nurse (RN 1) placed them in a work bag and left them in her car. Findings:On 8/31/12 at 2:40 P.M., the hospital reported to the Department that an unauthorized disclosure had occurred when RN 1 took copies of clinical daily notes "(also known as brains)" and notes related to hospital acquired pressure ulcer (HAPU) patients, placed all these documents in a work bag and left them in her car. Per the hospital, RN 1's car had been broken into at home on 8/27/12 and all the documents were stolen. According to the hospital, the clinical daily notes contained patient name, age, abnormal values and pending diagnostic tests. The HAPU notes contained the patient name, medical record number and a description of the patient's hospital acquired pressure ulcer.A telephone interview with RN 1 was conducted on 11/9/12 at 11:18 A.M. RN 1 confirmed that documents containing confidential patient information were stolen from her car in August 2012. She acknowledged that she should not have taken the documents home.A review of the hospital's policy and procedure entitled "Health Information, Access, Use and Disclosures", effective date of 2/12, was conducted. The policy indicated that the hospital shall access use and disclose protected health information with authorization of patient/legal representatives and in accordance with mandated state and federal disclosure requirements. Per the same policy, it indicated that "All personnel providing services within the (hospital name) organization to include but not limited to employees, volunteers, physicians, Allied Health Professionals, students and contracted and affiliated business associates are responsible for: 1. Awareness of this policy and it's requirements for protecting patient health information from unauthorized access, use or disclosure." A joint review of a hospital list was conducted with the Clinical Risk Specialist (CRS) beginning on 11/9/12 at 11:35 A.M. The list confirmed that 68 patients were sent letters informing them of the unauthorized disclosure that may have occurred when RN 1's car was broken into in August 2012 and a work bag containing notes with confidential patient information was stolen. An exit conference was held with the CRS on 11/20/12 at 3:46 P.M. The CRS acknowledged that an unauthorized disclosure occurred when clinical daily notes "brains" and HAPU notes were stolen from RN 1's car. She acknowledged that the hospital's policy related to health information, access, use and disclosure was not followed.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights