Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SAN ANTONIO REGIONAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on December 2, 2014. Also cited in 35 other reports.
Report ID: HXUP11, California Department of Public Health
Reported Entity: SAN ANTONIO REGIONAL HOSPITAL
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patient B, when a volunteer mailed a letter containing Patient B's PHI to Patient A.Finding:On January 27, 2015 at 3:45 PM, a telephone interview was conducted with the Volunteer Manager (VM) for the facility, regarding an entity reported incident of a breach of PHI for Patient B, detected on November 20, 2014. The VM stated the usual process for mailing letters is for the volunteers to count the letters, count the envelopes, and place each letter alternately with each envelope. Patient A and Patient B had the same first, middle and last names, except one letter of the first name was different. The volunteer accidentally placed Patient B's letter in Patient A's envelope. Patient A informed the facility on November 20, 2015 of the error. The facility requested that Patient A destroy Patient B's letter. The VM also stated the volunteers receive the same HIPAA training as the employees, and is always reminding them the importance of patient confidentiality.A review of the letter confirming the imaging results for Patient B, which was mailed to Patient A in error, included Patient B's name, address, identification number, date of birth, and test results.A copy of the letter mailed to Patient B, dated November 24, 2014 informing of the breach of PHI was present.A review of the Policy and Procedure titled, Identification, Patient, dated 1/11, notes; Purpose: "To provide a reliable and consistent method of verifying the identity of the patient prior to...providing paperwork that has Personal Health Information (PHI). Policy 1.D. Providing paperwork that has Personal Health Information (PHI). Procedure: III. "The employee will check to ensure that the two patient identifiers, patient's name and account (FIN or ACCT) number are correct".The facility failed to ensure the correct patient letter was mailed to the correct patient resulting in an unauthorized release of Patient B's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights