Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SAN ANTONIO REGIONAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 30, 2015. Also cited in 35 other reports.
Report ID: 5KL011, California Department of Public Health
Reported Entity: SAN ANTONIO REGIONAL HOSPITAL
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of Patient B's protected health information (PHI) when a Medical Doctor (MD 1) gave Patient B's discharge instruction documents to Patient A. This resulted in an unauthorized disclosure of Patient B's PHI.Findings:On March 30, 2015 at 9:15 AM, a phone interview was conducted with the Director of Health Information Management (HIM) regarding an entity reported incident of a breach of Patient B's PHI detected by the facility on March 10, 2015. The Director of HIM stated that MD 1 gave discharge paperwork meant for Patient B, which contained Patient B's name, date of birth, age, gender, medical record number, allergies, home address, home phone number, medication names, dosages and instructions, ethnicity, health plan name, diagnoses, and pertinent health information, to Patient A.The Director of HIM stated that Patient B was notified on March 11, 2015 of the PHI that was breached and provided a copy of the letter for review.On April 3, 2015 at 11:00 AM, a phone interview was conducted with MD 1 regarding this entity reported incident. MD 1 stated it was a long day and at the end of the night and she was seeing the last few patients, including Patient A and Patient B who shared similar medical histories. When she went into what she thought was Patient B's room and called out Patient B's name, Patient A answered yes. In her mind, Patient A was Patient B. She generated Patient B's discharge paperwork and gave them to Patient A thinking Patient A was Patient B.On April 3, 2015 at 11:20 AM, a phone interview was conducted with the Clinic Manager regarding this entity reported incident. The Clinic Manager stated that patients are registered initially and the patients information is entered into the electronic medical record (EMR) system. The patient's name and room number assigned will then be on the EMR tracking board. All identification of patients are visual by way of the EMR system and verbal verification with the patient. There are no patient identification bands.A review of the discharge instruction documents indicated Patient B's name, date of birth, age, gender, medical record number, allergies, home address, home phone number, medication names, dosages and instructions, ethnicity, health plan name, diagnoses, and pertinent health information.A review of the facility's policy and procedure titled, "Confidentiality, Protecting Confidential Information" dated July 2008, indicated "Confidential information must be protected from unauthorized uses, disclosures, inappropriate modification, and/or any action that would prevent it from being readily available to authorized individuals."The facility failed to ensure the correct discharge instruction documents were given to Patient A resulting in an unauthorized release of Patient B's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights