Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 17, 2014. Also cited in 55 other reports.
Report ID: Q5DJ11.01, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review the facility failed to ensure the privacy and confidentiality of patient medical records which resulted in an unauthorized person or persons accessing medical information in a manner not authorized by the patient.Findings:On December 8, 2014 at 1:40 PM, a phone interview was conducted with Employee 1 and the Risk Manager (RM), regarding an entity reported incident of a breach of PHI for Patient A, detected on June 25, 2014. Employee 1 stated that he was the RN assigned to Patient A on June 24, 2014 and that Patient A was in an isolation room on a Medical-Surgical Unit. Employee 1 stated that he was told by his manager that 3 empty IVPB bags (medications given intravenously) with Patient A's PHI were found in the linen by a linen company on June 25, 2014. Employee 1 stated that he did not recall disposing of the IVPB's, and that the linen and trash containers are clearly marked. During the concurrent interview with Employee 1, the RM stated that the staff who cared for the patient on the unit that day were re-educated. The staff disposed of 3 labeled IVPB's in the linen which resulted in a breach of PHI.During a review of the documentation received, a photo of 3 IVPB's were viewed. The pictures were not clear. Employee A stated that 2 of the bags were antibiotics and 1 was Magnesium Sulfate (a mineral). The medication labels included Patient A's name, date of birth, age and account number.Documentation that Patient A was notified of the breach in person on June 30, 2014 was also present.Employee 1's education on "Confidentiality", "General orientation transcripts", and " Educational transcripts" were reviewed and showed that Employee 1 had received training on HIPAA and patient confidentiality.Policy and Procedures for "Confidentiality" were received and reviewed and indicate "The employee will follow all (Facility 1's) policies and procedures and the Standards of Conduct, and will take all precautions to prevent any intentional or unintentional use of disclosure of patient health information without the signed authorization of the patient.The facility failed to protect PHI by disposing of IVPB's in the linen which resulted in unauthorized release of Patient A's PHI to an unintended company.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights