Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
KAISER FOUNDATION HOSP SO SACRAMENTO
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 1, 2015. Also cited in 16 other reports.
Report ID: JHBA11.01, California Department of Public Health
Reported Entity: KAISER FOUNDATION HOSP SO SACRAMENTO
Issue:
Based on staff interview and review of facility documents, the facility failed to prevent an unauthorized disclosure of Patient 1's health information. Additional information of Patient 1, which was released to a third party, was more than what was requested by Patient 1 on the release of information consent form. Additionally, the facility failed to report the breach of PHI to the Department and to Patient 1 within five working days as required. Findings:A review of documents provided by the facility revealed that on 6/18/14, Patient 1 signed a consent form called an "Authorization for Use of Disclosure of Patient Health Information" and turned in the form to a sister facility. The sister facility processed the request on 7/9/14, but included more than what was authorized. Patient 1 requested only for the facility to send to a third party her emergency room (ER) visit records for 6/13/14. The facility included the patient's information of an ER visit on 12/25/13. The information from the ER visit on 12/15/13 consisted of the. Patient's name, medical record number, date and time of service, chief complaint, vital signs physical exam notes, diagnosis, prescribed medications and discharge instructions."An interview with the facility's Risk Manager was conducted on 5/1/15 at 10:00 a.m. She stated that since the patient's primary physician was at the primary facility, the primary facility became the custodian of the patient's records. She acknowledged that the sister facility (who committed the breach of Patient 1's PHI) notified the primary facility of the incident on 9/16/14. The primary facility was responsible for notifying Patient 1 and the Department of the breach. The Risk Manager acknowledged that the primary facility did not report the breach to the Department until 9/29/14, which was six days past the required report within five days of detection. The Risk Manager further acknowledged that the facility did not notify Patient 1 until 9/30/14, which was seven days past the required report within five days of detection.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280