Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST BERNARDINE MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 31, 2013. Also cited in 41 other reports.
Report ID: 717N11.01, California Department of Public Health
Reported Entity: ST BERNARDINE MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for 16 patients, (Patient A, B, C, D, E, F, G, H, I J, K, L, M, N, O, and P), when their PHI was electronically transferred to their former primary care physician's (PCP) office. This breach of Patient A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, and P ' s PHI placed these patients at risk for identity theft. FINDINGS:On February 26, 2013, at 10:00 AM, while at the facility, an interview was conducted with the facility privacy officer (FPO) to investigate an entity reported incident of possible breach of Patient A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, and P PHI. On July 31, 2013, a review was conducted of the entity reported incident. The Facility investigation was also reviewed which revealed that on October 18, 2012, the facility discovered that several patients PHI had been electronically auto-routed to an unverified PCP office (former PCP's office). On October 24, 2012, facility staff verified with the former PCP's office to ensure that the 16 Patient ' s PHI's had been deleted, which they had. Patient's A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, and P's PHI electronically routed to their former PCP ' s included the following: physician dictated reports, consultations, history and physicals, operative reports, cardiac test reports, discharge summaries, laboratory and radiological reports. The PHI that would be included on these reports consisted of patient name, ordering physician, primary physician, attending physician, diagnosis, past medical history, diagnoses, medication, treatment, treatment plan, lab and radiological results, heart test results, allergies, facility name, past medical history, medical record number, encounter number sex, and marital status. On August 14, 2013, at 12:45 PM, a phone interview was conducted with the facility privacy officer, who confirmed this incident. She stated that this situation was due to an interface problem with their computer. The registration system and the transmit system to the physician's office was not updating the primary care physician field. The clerk did update the correct fields at the time of input, but the computer system did not cross over to the other system and update it. She further stated that she was made aware of this situation the same day (October 18, 2012,) when the PCP office called the privacy officer to report the situation. The Facility failed to protect patient rights regarding maintaining the privacy and confidentiality of patient PHI, which resulted in Patient A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, and P being placed at risk of identity theft, when their PHI was electronically auto-routed to a PCP's office without authorization.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights