Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST BERNARDINE MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 31, 2013. Also cited in 41 other reports.
Report ID: GVV011.01, California Department of Public Health
Reported Entity: ST BERNARDINE MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patient A, when a fax sent to a medical clinic with Patient B's PHI included 4 pages of Patient A's PHI. This breach of Patient A's PHI placed the patient at risk for identity theft and unauthorized access by a third party. FINDINGS:On February 26, 2013 at 10:00 AM, during a visit to the facility, an interview was conducted with the facility privacy officer (FPO) to investigate an entity reported incident of a possible breach of Patient A PHI. On July 31, 2013, a review was conducted of the entity reported incident. The Facility investigation was also reviewed which revealed that on October 22, 2012, Employee 1, a contracted release of information clerk, faxed Patient B's ordered medical record to a medical clinic. Four (4) pages of Patient A's PHI was misfiled in Patient B's medical record, and was faxed to the pain clinic along with Patient B's PHI. Patient A's misdirected PHI was shredded by the medical clinic. Patient A's PHI which was faxed to the unauthorized, unintended medical clinic included the following: Patient A's name, date of birth, age, ordering physician name, diagnosis, past medical history, current medical condition, treatment, treatment plan, medications, labs ordered and results, allergies, facility name, date of discharge, medical record number, encounter number, sex, and marital status. On August 14, 2012 at 12:41 PM, a phone interview was conducted with the facility privacy officer (FPO) who confirmed this incident. She stated that four pages of Patient A's medical record had been misfiled in Patient B's medical record. When the medical clinic requested Patient B's medical record to be faxed, Employee 1 did not physically check each page to ensure that they belonged to Patient B, and faxed the pages to the medical clinic, including the four pages of Patient A's medical record containing PHI.The facility failed to protect patient rights regarding maintaining the privacy and confidentiality of patient PHI, which resulted in Patient A being placed at risk of identity theft, when a fax containing Patient A's PHI was sent to an medical clinic without authorization.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights