Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 6, 2015. Also cited in 55 other reports.
Report ID: KLHC11, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI) in the Outpatient Ambulatory Surgery Services when a registered nurse (RN 1) released discharge instructions for Patient A to Patient B's significant other. This resulted in a Health Insurance Portability and Accountability Act (HIPAA) breach of PHI for Patient A.Findings:During a phone interview with the Local Privacy Officer on April 7, 2015 at 11:45 AM, she stated the breach occurred on January 6, 2015, and the medical records department detected the breach a couple of days later when going through documents.During an interview with RN 1 on April 8, 2015 at 8:35 AM, when asked how Patient B's significant other signed Patient A's discharge instructions, she stated multiple packets and pages were printed out due to computer/printer problems. RN 1 stated she believed this led to Patient A's discharge instructions being printed at the back of Patient B's discharge instructions. When RN 1 was asked what should have done differently to prevent a reoccurrence of a HIPAA breach, she stated, "I would have slowed down and checked their armband like when I give medications more closely and checked two patient identifiers before having the patient sign."A review of three facility documents, titled, "Patient Instructions Signature Page," dated January 6, 2015, indicated two discharge instruction forms were printed for Patient A, and one discharge instruction form was printed for Patient B. Patient A's discharge instructions were signed at 12:00 PM and again at 1:10 PM, by two different persons, Patient A's wife and Patient B's significant other. Patient B's discharge instruction form is not signed or dated.A review of one facility document, titled, "Patient Instructions Page," dated January 6, 2015, and signed at 1:10 PM, indicates the PHI breached included: Patient A's name, date of birth, and type of medical procedure.A review of Patient A and Patient B's face sheets (document with patient information, medical information and emergency contacts), dated January 6, 2015, indicated Patient A's wife and Patient B's significant other were the two persons who signed the document titled, "Patient Instructions Page."A review of the facility policy and procedure, titled, "Confidentiality Policy," dated, January 24, 2012, requires, "The employee to follow all [name of facility] . . . policies and procedures and the [name of facility] Standards of Conduct, and will take all precautions to prevent any intentional or unintentional use or disclosure of patient health information without the signed authorization of the patient."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights