Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Mercy Medical Center
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 5, 2012. Also cited in 34 other reports.
Report ID: 8NO711, California Department of Public Health
Reported Entity: MERCY MEDICAL CENTER
Issue:
Based on staff interview, clinical record and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when staff faxed a treatment authorization form for Patient 1 to an unknown private citizen in error. This failure placed Patient 1's PHI at a potential risk for unauthorized use.Findings:On 10/5/12 at 3:50 p.m., during an interview, the Privacy Officer (PO) confirmed on 8/31/12, Patient 1's PHI had been breached when a Family Care Clinic staff person faxed a treatment authorization record to an unknown private citizen in error. The PO stated the private citizen called the clinic on 8/31/12, and reported he had received the treatment authorization form which was faxed from the clinic. The private citizen would stated he would destroy the document, but he would not leave his name. The breach was reported to the department on 9/6/12.A certified letter dated 9/6/12 was sent to notify the parents of Patient 1 of the breached information. A copy of the signed mail receipt verified the patient's parents received the letter on 9/13/13.Patient 1's PHI which was breached included the following: Full name, date of birth, address, telephone number, provider information, reason for the referral, insurance information and provider/clinic information. The facility Administrative Housewide Manual policy and procedure titled, "Protected Health Information and Sensitive Information, Safeguarding Of," dated 12/09 indicated, "Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity... When programming a fax machine a test fax shall be sent to confirm accuracy, thereafter periodically verify the fax number for accuracy...When faxing PHI or Sensitive Information make sure to confirm the fax number is approved to receive such information...When manually entering a fax number, visually verify the correct fax number is being entered before sending..."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights