Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SHASTA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 27, 2012. Also cited in 7 other reports.
Report ID: JBYM11, California Department of Public Health
Reported Entity: SHASTA REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to safeguard confidential health information for one patient. This resulted in unauthorized disclosure of the patient's confidential health information. (Patient 1)Findings:On 2/17/12, the California Department of Public Health received a faxed report from Administrative Staff (Admin) A, that indicated that the facility had identified an unauthorized access of Patient 1's health information by a co-worker. Admitting Registrar B and Patient 1 both worked in the admitting department of the facility.During an interview on 2/27/12 at 3 pm, Admin A confirmed that the facility had run an audit of their electronic health records on 2/15/12. This audit showed that Admitting Registrar B had accessed Patient 1's record on 1/29/12. Admitting Registrar B viewed all lab work that had been performed during Patient 1's Emergency Department visit on 1/29/12. Admin A confirmed that Admitting Registrar B's job duties entailed registering Emergency Room Department patients and that there was no need for her to view Patient 1's lab work in the course of her job duties, and as a result Admitting Registrar B had been terminated. Admitting Registrar B's employee file was reviewed. On 2/4/10, Admitting Registrar B had signed a "Workforce Confidentiality Agreement." It read as follows, "My authentication codes are for my use only when accessing information appropriate to my work."A facility policy titled, "Information Security," and dated 6/11, read as follows, "The facility allows access to patient information for the following reasons: patient care, through proper authorization by the patient or patient's representative, and required reporting. . . . Each user's access is restricted to the information needed to do his/her job."
Outcome:
Fine imposed and deficiency cited by the California Department of Public Health: Health & Safety Code 1280