Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Scripps Mercy Hospital
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on December 13, 2013. Also cited in 72 other reports.
Report ID: 1LQL11.01, California Department of Public Health
Reported Entity: SCRIPPS MERCY HOSPITAL
Issue:
Based on interview and document review the hospital failed to ensure that Patient 2's personal and protected health information (PHI) was kept confidential when a health care employee faxed Patient 2's face sheet to a physician's office that was not Patient 2's physician. As a result of this failure, an unauthorized physician had access to Patient 2's personal information.Findings:An on site investigation of an entity reported privacy breach was initiated on 12/13/13. It was reported to the California Department of Public Health that, on 10/18/13 an unauthorized and inadvertent disclosure of Patient 2's demographic information was faxed to a primary care physician that was not Patient 2's physician. The fax was generated from an incorrect charge to Patient 2's account. On 12/13/13 at 3:50 P.M., an interview was conducted with the coordinator patient relations/risk management (CPRM). CPRM stated that when Patient 1 was in the hospital's emergency room an account was created under Patient 2's name when Patient 2's name was incorrectly selected. CPRM stated that the incorrect account was identified and a correct account was created for Patient 1, but the original account created for Patient 2 was not deleted. Patient 1 was given three medications during the emergency room visit which was charged to Patient 2's account, this generated a bill for Patient 2. The hospitals biller/account receivable representative (BAR) followed up with the bill and inadvertently selected a primary care physician (PCP) which generated Patient 2's face sheet to be faxed to the PCP. The PCP's office called and informed the BAR that this was not their patient. The face sheet that was inadvertently faxed to the PCP included Patient 2's name, medical record number, account number, admission date, admission diagnosis, date of birth, age, gender, home address, phone number, insurance information, next of kin's name, address, and phone number.On 1/31/14 at 8:10 A.M., an interview with the BAR was conducted. The BAR stated that the bill had not been paid so she contacted the third party insurance about payment. BAR stated that the date of birth didn't match so she looked for more information to give to the insurance company when she accidentally hit the "referring physician". The BAR then inadvertently selected a PCP which generated Patient 2's face sheet to be faxed to the PCP. The physician's office called and made the billing office know that Patient 2 was not their patient, which it was then identified that the charges were billed to the wrong account.On 1/31/14 at 8:50 A.M., an interview was conducted with the access representative (AR). The AR stated that she created an account by using identification, such as the date of birth or social security, to verify the patient in the system. The AR stated that she started by typing the patients name then verified with the date of birth or social security number. AR acknowledged that on that day Patient 1 was taken back by the nurse prior to her verifying per the hospitals process. AR stated that the nurse made her aware of the error a couple of hours later, which she created the correct account for Patient 1, but due to information entered into Patient 2's account was unable to cancel that account. A review of the hospital's policy and procedure, entitled "Patient Identification and Color Medical Alerts", dated 3/19/13, indicated "IV. Procedures: A. Validate Patient Identity 2. Account Creation/Update: a. Request identification in order of the following preference: i. Government-issued photo (...passport, drivers license). ii. Non-government photo identification with additional document reflecting the name, e.g...social security card... iii. Two identifying documents, containing the patient's full legal name. iv. Patient's stated identity: legal name, last and first."A review of the hospital's policy and procedure, entitled "Health Information, Access, Use and Disclosure", dated 9/24/13, indicated "Policy: ... 3. Category III: Disclosure Requiring Authorization from the Patient/legal Representative a. Disclosure of Protected health Information for any reason... requires patient/legal representative authorization." The access representatives failure to follow the policy and procedure for creating an account by validating the patient's date of birth and/or social security, resulted in the inadvertent and unauthorized release of protected health record information. This was also in violation of the patient's right to confidentiality of all communications and record pertaining to health care received at the hospital.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights