Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
NORTHBAY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 27, 2013. Also cited in 9 other reports.
Report ID: N8YP11.01, California Department of Public Health
Reported Entity: NORTHBAY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of nine patients' (Patient 1, Patient 2, Patient 3, Patient 4, Patient 5, Patient 6, Patient 7, Patient 8, and Patient 10) medical information when: A) Patients 1, 2, 3, 4, 5, and 6's medical information was stolen from the facility; B) Patient 7's and Patient 8's medical information was sent to another facility; and C) Patient 10's medical information was given to another patient by mistake. These failures allowed the unlawful or unauthorized access to protected health information.Findings:A) CA00339344The California Department of Public Health was notified on 1/11/13, that a, "Breach of Protected Health Information (PHI)," occurred on 1/7/13.During an interview on 2/28/13 at 11 a.m., Administrative Staff A stated that, on 1/7/13, she was notified by Licensed Staff C that two cameras, containing PHI for six patients, had been stolen from the wound center. During the day Licensed Staff B, Licensed Staff D, and Licensed Staff E had used the cameras to record Patient 1 through Patient 6's wounds, along with their Medical Record #'s, the dates the pictures were taken, the location of the wounds, and the measurements of the wound.Administrative Staff A further stated that it was a failure to follow policy and procedure; on the part of Licensed Staff B, Licensed Staff D, and Licensed Staff E, in that they were supposed to download each photograph to the patient's chart and then lock the cameras up between uses.The Department verified that Patients 1, 2, 3, 4, 5, 6, were notified of the breach, by mail, on 1/11/13.B) CA00339929The California Department of Public Health was notified on 1/16/13, that a, "Breach of Protected Health Information (PHI)," occurred on 1/14/13.During an interview on 2/28/13 at noon, Administrative Staff A stated that, on 1/16/13, she was notified by Manager H that, on 1/14/13, Unlicensed Staff F had printed out PHI for Patient 9's transfer to another medical facility, and that the PHI had been placed in an envelope that included laboratory results for Patients' 7 and 8, without double-checking the contents, according to policy and procedure. Administrative Staff A also stated that Licensed Staff G did not verify the contents of the envelope for Patient 9, per policy and procedure, that he handed to the transporting personnel, when she was transferred.Administrative Staff A further stated that when Patient 9's Physician at another medical facility saw the high alcohol levels for Patient 7 and the high sugar levels for Patient 8, he questioned Patient 9 about her alcohol use, only to find out she did not drink alcohol. The Department verified that Patient 8 was notified of the breach, by mail, on 1/16/13.C) CA00342291The California Department of Public Health was notified on 2/5/13, that a, "Breach of Protected Health Information (PHI)," occurred on 1/30/13.During an interview on 2/28/13 at 11:30 a.m., Administrative Staff A stated that, on 1/30/13, License Staff J notified her that Licensed Staff I gave Patient 11, on 1/30/13, a prescription meant for Patient 10, which included Patient 10's name, date of birth, address, physician's name and medication needed.Administrative Staff A further stated that Licensed Staff I had taken care of both Patient 10 and Patient 11 and on discharging Patient 11, did not verify the information that she gave Patient 11, contrary to policy and procedure.The Department verified that Patient 10 was notified of the breach, by mail, on 2/4/13.A review of the facility Policy and Procedure for, "Notice of Privacy Practice" (9/11), indicated the following: "I. POLICY...B. The Notice of Privacy Practices will inform individuals of the Uses and Disclosures of PHI that may be made by the facility and of the patient's rights and the facility's legal duties with respect to PHI. The facility will document and implement procedures to ensure internal processes that create, use or disclose PHI in compliance with The Notice of Privacy Practices."A review of the facility Policy and Procedure for, "Confidentiality of Patient Information" (4/12), indicated the following: "I. PURPOSE: A. The facility acknowledges both a legal and ethical responsibility to provide patient confidentiality. Consequently, the indiscriminate or unauthorized review or disclosure of personal information, medical or otherwise, from any source regarding any patient is expressly prohibited. II. Policy:...H. Pre-hospital and transporting personnel will receive only information necessary for the care of the patient."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280