Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CONTRA COSTA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on December 4, 2013. Also cited in 103 other reports.
Report ID: PXJP11, California Department of Public Health
Reported Entity: CONTRA COSTA REGIONAL MEDICAL CENTER
Issue:
Based on interview and document review, the facility failed to prevent unauthorized access to two patients' protected health information (PHI).Findings:In interview on 12/4/13 at 9:15 a.m., Staff A stated that on 10/9/13, random audit of Staff B's access to the electronic medical record system demonstrated that she had accessed Patient 1's record on various dates. Subsequent audit by Staff C of access between 1/1/13 and 12/11/13 demonstrated that Staff B accessed Patient 1's record eleven times and accessed her own record nine times. Staff C stated that it appeared that all areas of the records were accessed inappropriately.Staff C interviewed Staff B on 1/23/14. Staff B acknowledged that she had not provided care to Patient 1 during his appointments. Staff B said that when cclink (the electronic medical record system) went live, she was told by other staff members that it was "ok" to look at family member medical records. Staff B stated that she recalled completing the facility's confidentiality training on 7/5/13, but she denied having received a copy of the facility's confidentiality policy during various yearly evaluations. She also denied providing information from Patient 1's record or her own record to anyone outside the facility.Doicument review on 12/4/13 verified that Staff B completed the facility's California Privacy Law training on 7/12/10.On 12/4/13, review of the facility's patient confidentiality policy, dated 6/2011, demonstrated that "inappropriate review or viewing of patient information without a direct need for diagnosis, treatment, or other lawful use is considered unauthorized access, and is punishable under California Privacy law."Document review on 12/4/13 corroborated that Patient 1 and the department were notified of the breaches on 10/11/13, two days after discovery.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280