Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Scripps Mercy Hospital
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 23, 2012. Also cited in 72 other reports.
Report ID: QPGJ11.01, California Department of Public Health
Reported Entity: SCRIPPS MERCY HOSPITAL
Issue:
Based on observation, interview and record review, the hospital failed to maintain confidentiality for one patient (56), in a patient care area of a Surgical Intensive Care Unit (SICU). Registered Nurse (RN 60) failed to log out of a computer before leaving it unattended. The computer was opened to a page of Patient 56's Medication Administration Record (MAR) (confidential information) and was visible to passersby during visiting hours. The hospital's failure denied Patient 56's right to confidential treatment of the patient's medical records. The hospital census was 302 patients.Findings:On 1/24/12 at 3:00 p.m. during a tour of SICU, a computer outside the room of Bed 10, was observed unattended. The computer was opened to a page of Patient 56's Medication Administration Record (MAR). Patient 56's name and her routine medications were visible to passersby during visiting hours.A record review of the Inpatient Face Sheet, dated 1/23/12, showed Patient 56 was admitted on 1/19/12, with a diagnosis of rectal cancer. A History and Physical, dated 1/21/12 at 8:53 A.M., showed that she was admitted through the Emergency Department with severe pain in the rectal area with drainage and required emergency surgery.On 1/24/12 at 3:02 P.M. in an interview, the Surgical Intensive Care Unit (SICU), Registered Nurse Manager (RN 59), said that Registered Nurse (RN 60) was Patient 56's nurse. The manager looked around the unit and indicated that he did not see RN 60. RN 59 acknowledged that confidential patient information was visible on the computer screen and could be visible to persons who walked by the computer screen. SICU staff said the "print screen" function was not available on the computer with wheels but they provided a copy of the MAR which included five routine medications administered or scheduled to be administered between 1/24/12 at 7:00 A.M. through 1/25/12 at 6:59 A.M. On 1/24/12 at 3:06 P.M., during an interview with RN 60, she acknowledged that she left the MAR screen on Patient 56's MAR visible because she had to go to the restroom and did not have a chance to log out.On 1/25/12 at 10:27 A.M. during an interview, the Director of Risk Management (ADM 61) provided and discussed the hospital's policy regarding, Confidentiality of Information (Patient, Financial, Employee, and Other Sensitive and Proprietary Information (dated 11/10). A review of the policy showed that every employee who had access to Confidential Information was responsible for following all hospital, "policies and to safeguard all Confidential Information." The policy defined "Confidential Information" to include Personal Health Information and patient records. The policy described Inappropriate Disclosure of Protected Health Information as, "disclosing confidential information, regardless of intent, in verbal written or electronic form ...in a setting where information can be read or transferred from an unattended computer monitor ... " The policy described Protected Health Information (PHI) as, "any information, including demographic information, collected from an individual that (a) is created or received by a health care provider, health plan, employer or health care clearinghouse; and (b) relates to the past, present or future physical or mental health or condition of an individual, the provision of healthcare to an individual and identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual."On 1/26/11 at 2:00 P.M., during the surveyor exit conference, a hospital administrator asked the surveyor for clarification as to whether the circumstances of the disclosure (provision of access to the confidential information) were potentially allowable under the hospital's policies. ADM 61 told him, "No" and explained that the disclosure occurred in a setting where information could be read from an "unattended" computer monitor.
Outcome:
Deficiency cited by the California Department of Public Health: PATIENT RIGHTS: CONFIDENTIALITY OF RECORDS