Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST BERNARDINE MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 31, 2013. Also cited in 41 other reports.
Report ID: SUFS11.01, California Department of Public Health
Reported Entity: ST BERNARDINE MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patient B, when a fax intended to be sent to Patient A's medical group, inadvertently contained Patient B's PHI under a coversheet listing Patient A name on it, and was faxed to Patient B's medical group. This failure to verify the correct documents were being faxed, resulted in the unauthorized release of Patient B's PHI, to patient A's medical group. FINDINGS:On February 26, 2013 at 10:00 AM, during a visit to the facility, an interview was conducted with the facility privacy officer (FPO) to investigate an entity reported incident of a possible breach of Patient B's PHI.On July 31, 2013, a review was conducted of the entity reported incident. The Facility investigation was also reviewed which revealed that on November 15, 2012, a local medical group notified the facility that Patient B's PHI was faxed to their medical group, who was unfamiliar with Patient B. The investigation further documented that Employee 1, a contracted release of information tech, was to fax Patient A's PHI to the medical clinic as ordered. Employee 1, inadvertently, gathered Patient B's PHI, but placed a coversheet reflecting Patient A name. The medical clinic received a fax with a coversheet reflecting Patient A name, who they were familiar with. Upon further investigation, the clinic realized that the coversheet reflected Patient A name, but the record reflected Patient B PHI. The medical group destroyed Patient B's PHI which had been faxed to them in error.Patient B's PHI, which was faxed in error to the unauthorized, unintended medical group included the following: Patient B's name, date of birth, age, address, relative name, address and phone number, Insurance ID #, group # and plan code, ordering physician name, diagnosis, past medical history, current medical condition, medications, physical exam findings, treatment, treatment plan, laboratory results, allergies, facility name, date of discharge, discharge diagnoses, discharge instructions, test findings, medical record number, encounter number, sex, and marital status. On August 14, 2013 at 12:45 PM, during a phone interview with FPO, who confirmed the incident, stated Employee 1 should have faxed Patient A's PHI along with a coversheet and not Patient B's. The facility failed to protect patient rights regarding maintaining the privacy and confidentiality of patients' (PHI), which resulted in Patient B being placed at risk of identity theft, when a fax containing Patient B's PHI was faxed to a medical group without authorization.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights