Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SUTTER SANTA ROSA REGIONAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 27, 2013. Also cited in 15 other reports.
Report ID: CLOH11, California Department of Public Health
Reported Entity: SUTTER SANTA ROSA REGIONAL HOSPITAL
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of two patients' (Patient 1 and Patient 3) medical information when: A) Patient 1's medical information was handed to another patient and B) Patient 3's medical information was faxed to a private business. These failures allowed the unlawful or unauthorized access to protected health information.Findings:CA00293145 The California Department of Public Health was notified on 12/16/11 that a, "Breach of Protected Health Information (PHI)", occurred on 12/10/11.During an interview on 2/28/13 at 9 a.m., Administrative Staff A stated that, on 12/12/11, she was advised, by Licensed Staff C that Patient 2 had accidentally received, on 12/10/11, Patient 1's PHI, which contained his name, medical record number, diagnosis and the physician's name within discharge instructions and a prescription for an antibiotic.Administrative Staff A further stated that it was due to not following policy and procedure that Licensed Staff B, who had taken care of both patients in the Emergency Room (on 2/10/11), handed Patient 2 the discharge instructions and prescription for Patient 1. Licensed Staff B neglected to double check the name on the PHI and compare it with the patient identification band. CA00339549The California Department of Public Health was notified on 1/14/13 that a, "Breach of Protected Health Information (PHI)", occurred on 1/11/13.During an interview on 2/28/13 at 9:15 a.m., Administrative Staff A stated that she received notification, from a Private Business, on 1/14/13, that they had received a faxed copy of Patient 3's history and physical, which included name, date of birth, medical record number, account number, date of admission, chief complaint, allergies, past medical history, medications, social history, family history, review of systems, physical examination, chest X-ray, EKG, laboratory results, and two physicians' names. Administrative Staff A further stated that it was an error on the part of Patient 3's Physician in that he had given Unlicensed Staff D the wrong fax number for his office. A review of the facility Policy and Procedure for, "Workforce Confidentiality/Privacy and Appropriate Use of Facility Property", (no date), reveals the following: "C. Access and Use of Patient and Business Information...3. Workforce members are expected to adhere to the following guidelines in order to maintain security and confidentiality: a. Ensure recipients of confidential information are authorized to receive it. Verify identities of recipients before releasing any information".A review of the facility Policy and Procedure for, "Confidentiality of Patient Care Information", (10/10), reveals the following: "I. POLICY Persons receiving health care services have the right to expect that the confidentiality of individually identifiable medical information will be reasonably preserved. Information regarding the hospital's patients' medical or personal status will not be released or disclosed inappropriately...III. APPLICATION OF POLICY A. All patient-related information is confidential. It will be shared only with those persons that have a legal right (i.e. the patient or the patient's surrogate) or a legitimate work-related need to know".
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280