Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Scripps Mercy Hospital
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 4, 2015. Also cited in 72 other reports.
Report ID: U4ET11, California Department of Public Health
Reported Entity: SCRIPPS MERCY HOSPITAL
Issue:
Based on interview, record and document review the hospital failed to ensure that Patient 1's personal and protected health information (PHI) was kept confidential when a Medical Doctor (MD) 1 had verbally discussed Patient 1's sensitive diagnosis in the presence of family members without Patient 1's verbal consent. As a result of this failure, Patient 1's personal and medical information was released without the authorization from Patient 1.Findings:An onsite investigation of an entity reported privacy breach was initiated on 5/4/15. It was reported to the California Department of Public Health that, on 4/9/15 a physician had an inappropriate discussion of Patient 1's medical information in the presence of family without permission from Patient 1. On 6/25/15 at 2:10 P.M., an interview was conducted with the Director of Risk Management (DRM). The DRM stated that MD 1 had entered the exam room of Patient 1 and openly discussed a sensitive diagnosis in front of Patient 1's mother, mother-in-law and significant other. The DRM stated that MD 1 had reviewed Patient 1's past medical history and that Patient 1 had tried to use her eyes to let MD 1 know that she did not want the information discussed. The DRM stated that the physicians and hospital staff were to introduce themselves and then ask for anyone in the room to step out. The DRM stated that MD 1 was required to follow the hospital's HIPAA (Health Insurance Portability and Accountability Act) policy and procedure. On 6/25/15 at 2:35 P.M., an interview was conducted with RN 2. RN 2 was the primary nurse for Patient 2 (Patient 1's infant child). RN 2 stated that she had not been present when MD 1 was with Patient 1 and 2. RN 2 stated that the practice was to get authorization from the patient to discuss medical care if there were other people present in the room.On 7/9/15 at 9:04 A.M., an interview was conducted with MD 1. MD 1 stated that she was in the room with Patient 2's parents and grandparents and that she had asked Patient 1 if the C-section (Cesarean-a surgical procedure to deliver a baby through incisions in the abdomen and uterus) related to herpes. MD 1 explained that she asked this information because any rash or lesion seen on the baby (Patient 2) meant that the baby would need to be seen. MD 1 stated that she sensed something was wrong and the after the exam of Patient 2 that Patient 2's father (Patient 1's significant other) followed her out and was very upset about the discussion of Patient 1's sensitive diagnosis.A review of MD 1's employee record revealed that MD 1 had signed the document "Confidentiality and Non-Disclosure Agreement" on 3/13/14. This document indicated, "I will take all necessary steps to safeguard Confidential Information at all times in accordance with the law and (hospital name) policies..."A review of the hospital's policy and procedure, entitled "Confidentiality of Information (Patient, Financial, Employee, and Other Sensitive and Proprietary Information", dated 07/14, indicated "II Policy (hospital name) is committed to safeguarding our patients' privacy, and the confidentiality of records and related information for all patients... It is the responsibility of every (hospital name) employee, medical staff member... having access to (hospital name) information to follow all of (hospital name) policies and to safeguard all Confidential Information... B. Confidentiality and Non-Disclosure Agreement - ... Non-employees are required to sign this agreement as a condition of conducting business on behalf of (name of hospital)... This agreement includes the following: 3. Appropriate disclosure of confidential information;... IV. Responsibilities: B. Professional Licensed Staff will identify individuals (e.g. family/friends) involved in a patient's care based on patient's expressed desires, clinical situation and patient care needs. V Procedures...C. 4. Obtain appropriate authorization for use and disclose of protected health information, i.e. patient authorization..." This policy was not follow when MD 1 verbally disclosed private medical information without Patient 1's authorization. The MD 1's failure to follow the policy and procedure with regards to the verbal authorization to discuss Patient 1's medical health information resulted in the unauthorized release of Patient 1's protected health information. This was also in violation of Patient 1's right to confidentiality of all communications and record pertaining to health care received at the hospital.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights