This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.

FEATHER RIVER HOSPITAL

5974 PENTZ ROAD PARADISE,CA 95969

Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 30, 2011. Also cited in 7 other reports.


Report ID: XZ2Y11.01, California Department of Public Health

Reported Entity: FEATHER RIVER HOSPITAL

Issue:

Based on interview and record review, the facility failed to protect confidential health information for one patient. (Patient 1)Findings:On 11/30/11 at 1 pm, the facility's privacy officer stated that on 10/10/11 at 8:30 pm, Laboratory Staff 1 (LS 1) gained unauthorized access to Patient 1's medical information and shared the information with her coworkers. The privacy officer stated that LS 1 had accessed Patient 1's name and admitting diagnosis. Patient 1 was the 2 year old son of a phlebotomist supervisor. On 11/30/11 at 1:30 pm, the Laboratory Director (LD) 2 recalled that LS 1 had been caught by Phlebotomy Supervisor (PS) 3 on 10/10/11 at 8:30 pm, viewing a computer screen displaying a software program called PowerChart. The computer screen listed patients and diagnoses that LS 1 had been previously warned by supervisory staff not to view. LD 2 stated that LS 1 had been directed only to look patients up individually and not access full page screens with patient lists. He stated that LS 1 conducted an Internet search to learn more about Patient 1's diagnosis after obtaining the diagnosis from the PowerChart which she freely shared with her coworkers. On 11/30/11, the computer screen (PowerChart) used by LS 1 was reviewed. The screen contained the name, room, bed, date of birth, account number, length of stay, physician, medical record number, admission date, admitting diagnosis and age of multiple patients. LD 2 stated the number of patients visible would depend on the census for the unit chosen; however, LS 1 had only been interested in Patient 1's name and diagnosis at the time of the breach discovery.During a telephone interview on 3/6/12 at 11:05 am, LD 2 stated that LS 1 accessed the computer screen that had lists of patients and their diagnoses. It was not a computer site that LS 1 would normally use or would need to access in her daily job routine. No other lab personnel had access to this screen/site. LD 2 explained that a former lab director had given LS 1 permission at that time. He explained that the site access could not be removed from LS 1's computer, because the facility's software computer system had no way of deleting it.During an interview on 3/6/12 at 1 pm, LD 2 stated the only time a lab employee would have permission to go into the site that LS 1 accessed would be if he was instructed to do so by himself (lab director) or a supervisor. At that time, it would only be to search for a definitive individual name. Otherwise, LD 2 stated, "The lab employees are not allowed to access this site-period."During a telephone interview on 3/6/12 at 5:40 pm, PS 3 stated she saw LS 1 access the computer screen that showed the names and diagnoses of all patients in the hospital. PS 3 stated she informed LS 1 that she should not be accessing that site. PS 3 stated LS 1 had told her that another supervisor's son (Patient 1) was in the hospital and asked her what his diagnosis meant. PS 3 stated she told LS 1 that she did not know what the diagnosis was and again informed LS 1 that she should not be looking at patients' names and diagnoses. PS 3 stated she saw LS 1 use the computer's Internet site that defined Patient 1's diagnosis and then listened to an audio version of the signs and symptoms of the patient's diagnosis. PS 3 stated she had been a relatively new supervisor at that time of the breach and was unsure of what the protocol was and/or what to do about LS 1 being seen on 10/10/11 viewing the prohibited site. PS 3 stated she reported the breached information incident to LD 2 at the next supervisor meeting on 11/9/11, a month later.

Outcome:

Fine imposed and deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

Do you believe your privacy has been violated? Here’s what you can do: