Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
NORTHBAY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 14, 2013. Also cited in 9 other reports.
Report ID: ZVQ611, California Department of Public Health
Reported Entity: NORTHBAY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of a patient's (Patient 1) medical information when Patient 1's health information was given to Patient 2. This failure allowed the unlawful or unauthorized access to some of Patient 2's medical information. Findings: The California Department of Public Health was notified on 8/9/13 that a,"Breach of Protected Health Information (PHI)", occurred on 8/1/13.During an interview on 8/14/13 at 10:30 a.m., Administrative Staff A stated that, on 8/7/13, she was notified by Unlicensed Staff B that on 8/1/13 she pulled the wrong file and copied Patient 1's PHI instead of Patient 2's PHI as they had the same first and last names. Subsequently Unlicensed Staff B gave the copies to Patient 2's Secondary Care Provider. Patient 1's PHI included his: name, address, gender, date of problem onset, date of birth, occupation, social security number, phone number, insurance company's name/address/phone/fax, employer name/phone, subjective complaints, assessment, diagnoses, treatment plan, medications, primary care provider's name/license number/address/phone, allergies, secondary care provider's name/license number, progress notes, frequency of care, total visits, and discharge date. Administrative Staff A also stated that the breach had been discovered, on 8/5/13, when Patient 2 called Unlicensed Staff C and advised her that he had Patient 1's PHI that had been given to him by his Secondary Care Provider.Administrative Staff A further stated that the Secondary Care Provider did not have a policy on how to release requested medical records.A review of the facility Policy and Procedure for, "Patient Access to Medical Records" (10/11), indicated the following: "III. COPIES OF RECORDS: B. Copies must be requested in writing, utilizing authorization for Release of Information from Health Information Management, and must include the patient's name, date of birth, approximate dates of care, and number of copies requested".A review of the facility Policy and Procedure for, "Notice of Privacy Practice" (9/11), indicated the following: "I. POLICY...B. The Notice of Privacy Practices will inform individuals of the Uses and Disclosures of PHI that may be made by the facility and of the patient's rights and the facility's legal duties with respect to PHI. The facility will document and implement procedures to ensure internal processes that create, use or disclose PHI in compliance with The Notice of Privacy Practices".A review of the facility Policy and Procedure for, "Confidentiality of Patient Information" (4/12), indicated the following: "I. PURPOSE: A. The facility acknowledges both a legal and ethical responsibility to provide patient confidentiality. Consequently, the indiscriminate or unauthorized review or disclosure of personal information, medical or otherwise, from any source regarding any patient is expressly prohibited. II. Policy:...H. Pre-hospital and transporting personnel will receive only information necessary for the care of the patient".
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280