Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SUTTER COAST HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 12, 2013. Also cited in 58 other reports.
Report ID: K36711, California Department of Public Health
Reported Entity: SUTTER COAST HOSPITAL
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of a patient's (Patient 1) protected health information, when some of Patient 1's medical information was faxed to the Wrong Agency. This failure allowed the unlawful or unauthorized access of protected health information.Findings: The California Department of Public Health was notified on 3/8/13 that a, "Breach of Protected Health Information (PHI)", occurred on 3/4/13.During an interview on 3/12/13 at 10 a.m., Administrative Staff A stated that, on 3/4/13, Unlicensed Staff C faxed, in error, Patient 1's prescription information to the Wrong Agency and it included her name, address, birth date, prescription information and physicians name. Administrative Staff A also stated that he became aware of the breach, on 3/5/13, after Licensed Staff B, in answer to the returned fax, confirmed that the Wrong Agency shredded Patient 1's PHI.Administrative Staff A further stated that Unlicensed Staff C had made the error on 3/4/13 by writing down the wrong fax number for the Right Agency while in a hurry.A review of the facility Policy and Procedure for, "OVERVIEW PRIVACY POLICIES UNDER HIPAA", (12/29/12), reveals the following: "I. POLICY: It is the policy of the facility to protect the privacy and security of patient information and to comply with applicable laws and regulations...III. GUIDELINES: ...B. Protected Health Information and Records: Protected Health Information (PHI) includes any information received, created or maintained by the facility in which the patient is or may reasonably be identified, regardless of whether the information is in oral, paper, or electronic form...C. Facility Privacy Policies and Procedures: The facility and its workforce members must comply with a number of state and federal laws and regulations. It is the responsibility of facility management to develop and distribute necessary privacy and security policies and procedures to guide the actions of its workforce...It is the responsibility of all facility workforce members to comply with the policies and procedures and to cooperate with facility management to identify and correct problems that may cause privacy or security breaches...G...7. Data Security Patients the right to expect that their information is collected, stored, and maintained in a reliable manner and that sufficient precautions are taken by the facility to prevent its misuse. It is the responsibility all facility workforce members to read the applicable security policies and comply with their provisions."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280