Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 17, 2014. Also cited in 55 other reports.
Report ID: D2WB11.01, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health (PHI) information for Patient A, when Patient A's PHI was inadvertently faxed from Facility 1 to Facility 2 with Patient B's medical records.On January 30, 2015, at 1:45 PM, a telephone interview was conducted with the Risk Manager (RM) and RN Case Manager (RN 1), regarding an entity reported incident of a breach of PHI for Patient A detected on May 2, 2014. RN 1 stated the normal process for referrals submitted on the night shift to the Case Management Department (CMD), was as follows: referrals are collected from various units, then dispersed by the Placement Specialist (PS) to the Case Managers on day shift. The CMD received a referral for Patient B to be transferred to another facility. RN 1 was assigned to secure placement for Patient B. The packet for Patient B was reviewed by RN 1 and given back to the PS. RN 1 further stated, while working on a different unit, it was determined that Patient B was a candidate for transfer to Facility 2. RN 1 asked the PS to fax Patient B's medical information to Facility 2. On May 2, 2014 an employee from Facility 2 notified Facility 1 that the History and Physical (H&P) for Patient A was mixed in with Patient B's faxed medical records. During further interview with RN 1, it was stated that several computers generate patient information which are printed to one printer. The medical records are sorted and each patient's records are then stapled together. RN 1 stated it was unclear how the H&P from Patient A was mixed in with the records of Patient B, but it did happen. RN 1 stated they were notified the PHI for Patient A was destroyed by Facility 2. A concurrent interview was conducted with the RM who stated Patient A was notified by certified letter on May 8, 2014 of the breach of PHI. During a review of the H&P faxed to Facility 2 in error, the documentation included; patient name, age, gender, date of admission, preferred language, diagnosis, history of current illness, current treatment plan, past medical history, social history, physical examination, laboratory results, imaging results, medical record number, account number, and physician name.During a review of the documentation provided by the Facility, a copy of the certified letter dated May 8, 2014 informing Patient A of the breach of PHI was present.A review of the Policy and Procedure titled, "Confidentiality Policy", dated January 22, 2014 indicates, "The employee will follow all (Facility 1's) policies and procedures and (Facility 1's) Standards of conduct, and will take all precautions to prevent any intentional or unintentional use or disclosure of patient health information without the singed authorization of the patient."The facility failed to ensure the correct patient information was faxed to Facility B, resulting in an unauthorized release of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights