Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SAN JOAQUIN COMMUNITY HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 10, 2011. Also cited in 8 other reports.
Report ID: I0IR11, California Department of Public Health
Reported Entity: SAN JOAQUIN COMMUNITY HOSPITAL
Issue:
Based on interview and record review, the hospital failed to protect one patient's health information (A). 1. A hospital employee (Employee A) disclosed Patient A's protected health information to a private citizen. 2. Employee A accessed Patient A's health information without authorization. Findings: The hospital report was reviewed on 1/10/11 at 8 AM. The incident description read as follows, "On 12/27/10, patient (Patient A) reported to ED (Emergency Department) Director via telephone that personal protected health information had been disclosed by a Unit Secretary (Employee A) on duty during his visit to the ED on 12/17/10. After further investigation it was determined that a Unit Secretary working in the ED saw the pt (patient) being brought in the Emergency Department and left a voice mail for a private citizen/mutual associate of the patient. Information disclosed ...included PHI (Protected Health Information). The employee was also noted to have accessed this patients (sic) PHI via the electronic record without a "need to know." During an interview with the HIPPA (Health Information Portability and Accountability Act) Privacy and Security Official [HPSO], on 1/10/11 at 1:50 PM, she stated Employee A was a unit secretary in the ED. On 12/17/10 Employee A saw Patient A in the ED and called and left a voicemail to a mutual acquaintance/private citizen. When the private citizen returned Employee A's telephone call, Employee A informed the private citizen the medical diagnoses of Patient A. Employee A, also accessed Patient A's electronic medical record (EMR), although there was no need to. According to HPSO, Employee A admitted she disclosed Patient A's health information to a private citizen and admitted to accessing Patient A's EMR without authorization. HPSO, also indicated Employee A was suspended on 12/27/10 and subsequently terminated on 1/3/11. Employee A received HIPPA training in December according to HPSO. Employee A's training record was reviewed on 1/10/11 at 2 PM with HPSO. Documentation in the training record indicated, Employee A received HIPPA training on 12/9/10. The training material was reviewed and indicated in part, "...The OBLIGATION to protect the confidentiality of healthcare information of EVERY PATIENT regardless of who THEY are Regardless of who YOU are... An employee may only access patient information such as required by the employee's job requirements. Employees who receive or view information about patients in order to do their jobs may not share the information with any others unless the others need to know that information by virtue of their job requirement..."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights