Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SANTA CLARA VALLEY MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 9, 2013. Also cited in 90 other reports.
Report ID: FG4S11.01, California Department of Public Health
Reported Entity: SANTA CLARA VALLEY MEDICAL CENTER
Issue:
Based on staff interview and administrative document review, the hospital failed to prevent unauthorized access to patients' medical information for three patients (1, 3, and 4), when:1. Patient 1's two medications were accidentally given to Patient 2 at the time of medication pick-up;2. Patient 3's medication and an appointment reminder card was sent to the wrong recipient due to an address mix-up;3. A label containing Patient 4's confidential information, instead of his address, was placed on an envelope, resulting in his information being disclosed to the postal service.Findings:1. During an interview on 10/9/13 at 9:30 a.m. in the presence of the privacy officer and the risk manager, the director of pharmacy (DOP) said Patient 1 came into the hospital on 1/4/13 to pick up two medications: Abilify (to treat schizophrenia or bipolar disorder) and Fluoxetine (for depression). The Pharmacy record showed Patient 1's medications had already been picked up on 12/27/12. He said the hospital investigation revealed Patient 1's medications were accidentally given to Patient 2 on 12/27/12. The DOP said the pharmacy technician (PT) who assisted Patient 2 failed to follow the hospital's policy by failing to use two patient identifiers (IDs) for correct patient identification at the time of prescription pick-up. During an interview on 10/18/13 at 2 p.m., the PT said the pharmacy was busy at the time, and she failed to ask for two patient IDs before dispensing the medications to Patient 2.The information disclosed included patient name, physician's name, drug name, drug dosage and direction for use, and prescription numbers.The hospital's policy and procedures entitled "Prescription Pick Up/Pharmacy Beneficiary Signature and Relationship Requirement Log," dated 3/12, indicated the following:"Staff will use at least two of the three patient identifiers... to compare for accuracy to the same identifiers as found in the: a. Medical Record (MR) number b. Patient Name c. Date of birthThe above identifiers presented by the patient could be obtained from the following sources: - SCVMC Medical Record card - Patient I.D. wristband - Driver's license"2. During an interview on 10/9/13 at 10 a.m., the hospital privacy officer said the hospital received a call on 1/14/13 from a recipient, informing the hospital regarding a receipt of a medication (clonazepam for anxiety) and an appointment card reminder for his family member. He confirmed that his family member did not take clonazepam and had never been seen in the hospital. The privacy officer said the medication and the appointment card reminder were meant for Patient 3. It was discovered that Patient 3 had the same name and date of birth as the recipient's family member.During an interview with the patient access department director on 10/18/13 at 2:30 p.m., he explained that Patient 3 had been seen by the hospital before. On 1/6/13, Patient 3 was transferred from another hospital. Prior to her arrival at the Pediatric Intensive Care Unit (PICU), the transferring hospital faxed to the receiving hospital, the patient's face-sheet with the incorrect address (the address that belonged to the recipient's family member). Patient 3 was admitted directly to the PICU. The patient access director said the admitting staff assumed the transferring hospital had the "latest" address, and therefore replaced their existing address with one provided by the transferring hospital. He acknowledged the admitting staff failed to verify with the family the correct address after Patient 3 was admitted.The information disclosed included patient name, medical record number, prescription name, dosage, and prescription number.3. On 10/9/13 at approximately 10:30 a.m., in the presence of the pharmacy director and the risk manager, the privacy officer said the hospital learned of a privacy breach when the compliance and privacy office received a return envelope (unopened) from the hospital mail service on 2/1/13. The envelope was not deliverable due to it having a patient's (Patient 4's) label instead of the patient's address. The hospital investigation revealed the envelope was mailed from the Renal Clinic. During a telephone interview on 10/21/13 at 2:15 p.m., the nurse manager of the Nephrology Clinic said the envelope was meant to be placed in the pick-up bin (for patient pick up) but was accidentally placed in the outgoing bin (for mailing). It went through the hospital mail service to the U.S. Postal Service. When it was not deliverable, the U.S. Postal Service sent it back, to the hospital, and it was delivered to the compliance and privacy office.The patient's label on the envelope contained patient name, medical record number, account number, and date of birth.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280