SALINAS VALLEY MEMORIAL HOSPITAL

Report ID: 1OZ711.01, California Department of Public Health

Reported Entity: SALINAS VALLEY MEMORIAL HOSPITAL

Issue:

Based on interview and record review, the hospital failed to prevent the unauthorized disclosure of patient health information (PHI) for one of two sampled patients (1), when a hospital staff member (ONN) intentionally accessed Patient 1's electronic medical record without authorization or a job related need. The failure resulted in disclosure of Patient 1's PHI to an unauthorized individual. Findings:The California Department of Public Health received a faxed report on 8/1/13, which indicated ONN had accessed the electronic medical record of a patient who was not ONN's patient. ONN had accessed Patient 1's electronic medical record because she was curious. A subsequent report dated 8/5/13 indicated, after an internal investigation, the hospital identified ONN had accessed Patient 1's medical record. ONN had not cared for Patient 1, nor had a business related reason to access Patient 1's electronic medical record. During an interview on 8/29/14 at 10:25 a.m., the compliance officer (CO) stated that on 7/30/13 ONN had accessed Patient 1's electronic medical record, and a coworker had notified the privacy officer of the unauthorized access of Patient 1's electronic medical record.During an interview on 8/29/14 at 11:50 a.m., the human resources director (HRD) stated ONN had accessed the electronic medical record of Patient 1 who was not being cared for by ONN. HRD stated she had interviewed ONN. ONN stated she had accessed Patient 1's electronic medical record because she was curious. HRD then stated ONN was no longer an employee of the hospital. HRD further stated the audit indicated ONN had only accessed Patient 1's record one time.During an interview on 9/2/14 at 11:30 a.m., ONN stated Patient 1 had come to the office for a nonbusiness related reason. After she had left, ONN's two coworkers had negative feelings about Patient 1. ONN stated she looked into Patient 1's electronic medical record to collaborate the feelings of her coworkers. ONN stated she looked into Patient 1's medical record history to find out what kind of person she was, look for any emergency room visits, but could only find appointments for preventative care. ONN confirmed she had no business related reason to access Patient 1's medical record. ONN stated she told her coworkers her findings, and they told CO that ONN had accessed Patient 1's medical record. A review of a copy of a letter dated 8/1/13 from the hospital to Patient 1 indicated there had been a report to the privacy officer ONN had accessed Patient 1's electronic medical record. An audit of Patient 1's electronic medical record confirmed the unauthorized access of Patient 1's electronic medical record by ONN.A review of a copy of an internal audit dated 7/30/13 indicated ONN had accessed Patient 1's electronic medical record on 7/30/13 using Patient 1's account number and Patient 1's plan of care, radiation reports and files, medical reports, and select visits had been disclosed. A review of a copy of the hospital's 10/28/11 "Minimum Necessary Disclosure of Protected Health Information" policy indicated each employee may only access the minimum information necessary to perform their designated roles regardless of the extent of access provided.A review of a copy of the hospital's 4/23/10 "Uses and Disclosures of Protected Health Information - General Rule" policy indicated requests for individual healthcare information are limited to individuals who need the information to carry out patient care duties, to perform a specific type of work, or complete a function.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

2 other violations reported on the same date. Note that other citations may be about the same event: BMD211.01, R9PO11.01