Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SUTTER SANTA ROSA REGIONAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 24, 2014. Also cited in 15 other reports.
Report ID: RKL211, California Department of Public Health
Reported Entity: SUTTER SANTA ROSA REGIONAL HOSPITAL
Issue:
The facility notified the patient by mail on 1/10/14.Based on interview with the Privacy Officer and policy review, the hospital failed to keep personal medical information( PMI) confidential when it faxed Patient 1's report of a procedure to a physician that was not Patient 1's primary provider. The failure resulted in a breach of confidentiality for the patient and possible unauthorized use of the information.Findings:During an interview on 2/21/14 at 3p.m., the privacy officer stated that during a telephone pre-registration, the registration clerk entered the name of a physician into Patient 1's data base that was not the patient's primary care provider (PCP). Patient 1 was a new patient and there was no data in the system. The privacy officer stated that on 1/6/14 a report of a proceudre for Patient 1 was faxed to the incorrect physician who is not Patient 1's PCP.The privacy officer stated that reports of procedures are automatically faxed to the PCP to ensure continuity of care.The physician that received the fax of the report in error returned the fax to the facility after business hours on 1/6/14. The facility became aware of the error at the opening of business on 1/7/14.During a review of the report of the procedure on 1/24/14, the report indicated the following PMI about Patient 1: name, birthday, medical record number, diagnosis, name of procedure, date of procedure, report of procedure, name of physician ordering the procedure.During a reveiw on 2/14/14 of the Administrative Policy HIPAA that was revised 2/12, the policy indicated that it is the policy of the Sutter Workforce to treat patient, personnel, and organizational records as confidential. The policy indicated that all members of the Sutter Workforce execute annually a "Workforce Confidentiality/Privacy Agreement" acknowledging their understanding of this policy and their agreement to abide by the guidelines of this policy.The breach occured due to error on the part of the registration clerk. The clerk failed to confirm the correct name of Patient 1's PCP during a telephone pre-registration interview in preparation for a procedure.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280