Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SUTTER COAST HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 4, 2012. Also cited in 58 other reports.
Report ID: 7HLU11, California Department of Public Health
Reported Entity: SUTTER COAST HOSPITAL
Issue:
Based on interview, and review of clinical records and hospital documentation and policy, the hospital failed to prevent the unauthorized disclosure of protected health information (PHI), when, 1. Patient 1 was handed discharge paperwork with Patient 2's name on it, and, 2. Patient 3's mammogram results were sent to Patient 4. These failures resulted in breaches of the PHI of Patient 1 and Patient 3, and possible unauthorized use of the information. (Breach-Unauthorized acquisition, use, or disclosure of unsecured PHI which compromises the security or the privacy of the information.) Additionally, the failure to inform Patient 3 of her mammogram results potentially delayed further diagnostic testing.Findings:1. Review, on 6/1/12, of the form titled "Intake Information", received via facsimile on 5/23/12 by the California Department of Public Health, (CDPH), indicated the hospital detected a breach of protected health information (PHI), on 5/17/12. A copy of a letter, dated 5/23/12, which notified Patient 2 of the breach of PHI, accompanied the facsimile. Both notifications were within five business days of detection, as specified by HSC 1280.15 (b)(1) and (2) .During an interview and concurrent review of clinical records and hospital policy, on 6/4/12 at 4:30 p.m., the hospital Privacy Officer stated Patient 1 was seen in the Emergency Department (ED), on 5/17/12. A Physician Assistant, (PA), entered Patient 1's discharge medications, discharge instructions, and medication reconciliation information into the electronic medical record, without clearing the name of the prior patient, Patient 2. The PA printed copies of the entered information. Licensed Nurse A handed Patient 1 the copies without checking the name on the printed material with Patient 1's name band. Patient 1 received copies of discharge medications, instructions and medication reconciliation with Patient 2's name. Patient 1 carried the information to an outside pharmacy where pharmacy staff discovered the error and reported it to Licensed Nurse A on 5/17/12.Review, of the information Patient 1 received revealed it included Patient 2's name, diagnosis, medication list, and prescriptions, as well as instructions for home care.2. Review, on 6/1/12 of the form titled "Intake Information", received via facsimile on 5/4/12 by the CDPH, indicated the hospital detected a breach of PHI on 5/1/12. A copy of a letter, dated 5/4/12, which notified Patient 3 of the breach of PHI, accompanied the facsimile. Both notifications were within five business days of detection as specified by HSC 1280.15 (b)(1)(2).During an interview, and concurrent review of clinical records and hospital policy, on 6/4/12 at 4:50 p.m. the hospital Privacy Officer stated Patient 4 notified the Imaging Department by telephone, on 5/1/12, that another patient's, (Patient 3), mammogram results had been included in the envelope with her own results. The Privacy Officer stated the Diagnostic Imaging Department did it's own mailings, and staff had inadvertently gathered both reports into the envelope sent to Patient 4. Review, of Patient 3's report, received in error by Patient 4, revealed the report, dated 4/21/12, included the patient's name, and the physician's direction to contact her physician, as soon as possible, to schedule a biopsy to determine if Patient 3 had cancer.During a telephone call, on 6/5/12 at 11:50 a.m., the Privacy Officer stated he was unsure how Patient 3 was notified of the mammogram results, however, Patient 3 had undergone a biopsy on 5/2/12, as documented by a diagnostic report dated 5/2/12, two days before Patient 4 notified the Imaging Department of the breach.The Privacy Officer stated the patient's right of confidentiality of personal information was part of every hospital employee's orientation.Review, of the hospital policy titled "Confidential Information", dated 5/02/11, indicated that patients' and staff's personal information would be held in the strictest confidentiality and only released with specific authorization.Review, of hospital policy titled "Patient Identification", dated 1/3/10, indicated diagnostic and therapeutic procedures would not be performed until the patient is properly identified by an identification bracelet or verbal verification of their name and date of birth. The policy also specified that meal trays would not be delivered until verification of patient name and birth date was done verbally or visually, the policy did not address release of records.Review, of hospital policy titled "Release of Health Information by Hospital Employees", dated 6/5/10, indicated no health information (is) released except with appropriate authorization, specified as authenticated patient name and date of birth.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280