Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SANTA CLARA VALLEY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 28, 2014. Also cited in 90 other reports.
Report ID: ZWST11.01, California Department of Public Health
Reported Entity: SANTA CLARA VALLEY MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to prevent unauthorized disclosure of medical information for one of two sampled patients (2) when Patient 1 was misidentified as Patient 2 and was transferred to an unaffiliated facility. Patient 2's medical information was disclosed to medical transportation staff and to staff at the unaffiliated facility. After the misidentification was discovered, Patient 1 was transferred back to the hospital. Findings:On 2/26/14, the California Department of Public Health received a faxed report indicating the hospital identified unauthorized disclosure of health information for Patient 2.Patient 1 was admitted to the hospital on 2/12/14 with diagnoses including a fractured jaw and was discharged on 2/19/14, readmitted on 2/19/14, and discharged on 3/3/14. Patient 1's record was reviewed on 8/29/14. The 2/19/14 physician discharge summary indicated "this patient was initially mis-identified as another individual. The name and date of birth have been updated and corrected." Patient 1's 2/19/14 transfer documents (sent with Patient 1 to the unaffiliated facility) included Patient 2's name, date of birth, gender, medical record number, address, phone number, religion, health insurance, name of physician, and medication allergy list. During an interview on 8/29/14 at 9:30 a.m., the patient access director (PAD) stated the following: on 2/12/14 Patient 1 came in to the Emergency Department (ED) accompanied by another person. Patient 1 was met initially by a triage nurse (TN) who asked Patient 1 for his name and date of birth. Patient 1 could not speak for himself, so the other person supplied a name and also verified a date of birth. Due to names and dates of birth being similiar for Patient 1 and Patient 2, Patient 1 was inadvertently misidentified as Patient 2. A hospital registration worker (HSR) later that day attempted to get more information to verify identification, including photo identification such as a drivers license, but Patient 1 did not have any identification documents. However, the person accompaning Patient 1 (a friend) stated the name and date of birth on file with the hospital's electronic health system (EHR) were accurate. Based on this information Patient 1 was admitted to the hospital under Patient 2's name and medical record number. After being treated at the hospital for one week, Patient 2's insurance company requested the patient be transferred to an unaffiliated facility to continue treatment. On 2/19/14 Patient 1 was transferred by ambulance with the medical record to the unaffiliated facility. Shortly after arrival staff at the unaffiliated facility determined Patient 1 was not Patient 2. Patient 1 was transferred back to the hospital the same day. Hospital staff determined Patient 1's name was similar but not the same as Patient 2's name, and Patient 1's date of birth was similar but not the same. The PAD stated the medical records for Patient 1 and Patient 2 were later corrected.During an interview on 8/29/14 at 9:45 a.m., the privacy officer (PO) stated Patient 2's medical information including name and clinical information were disclosed to the ambulance crew and unafiliated facility staff, constituting a breach of Patient Health Information. The PO stated a letter was sent to Patient 2 on 2/25/14 to notify him of the incident.During an interview on 9/11/14 at 11 a.m., TN stated her job title was ED technician. The TN stated part of her duties were to assist with initial triage and admitting patients to the ED. TN stated on 2/12/14 Patient 1 came in to the ED accompanied by another person who stated he was a friend. TN stated Patient 1 could not speak due to jaw pain. TN stated the person with Patient 1 supplied a name. TN stated she entered the name into the EHR system and a date of birth and medical record came up on the computer screen. TN stated she asked the person with Patient 1 if the date of birth was correct and he said it was. The TN stated she proceeded with Patient 1's admission and registered Patient 1 under Patient 2's account. The TN stated she asked Patient 1 for identification documents but he had none. The TN stated she sent Patient 1 to a registered nurse to continue the admission process and did not see Patient 1 again.On 8/29/14 a review of a copy of a letter written by the PO dated 2/25/14, addressed to Patient 2, informed Patient 2 on 2/19/14 his personal information was accidentally disclosed. The letter indicated the following information may have been disclosed: name, medical record number, account number, birth date, gender, age and clinical information.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280