Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SHARP CHULA VISTA MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 16, 2014. Also cited in 46 other reports.
Report ID: 3V6011.01, California Department of Public Health
Reported Entity: SHARP CHULA VISTA MEDICAL CENTER
Issue:
Based on interview and document review the hospital failed to ensure that Patient 1's personal and protected health information (PHI) was kept confidential when a health care worker faxed Patient 1's PHI that included physician dictated reports, nursing documentation, X-ray results and aftercare instruction to a real estate agent. As a result of this failure, the real estate agent had access to Patient 1's personal information. Findings:An on site investigation of an entity reported privacy breach was initiated on 1/16/14. It was reported to the California Department of Public Health that, on 12/2/13 an unauthorized and inadvertent disclosure of Patient 1's medical information was inadvertently faxed to a realty office.On 1/16/14 at 2:30 P.M., an interview was conducted with the patient access service representative (PASR). The PASR stated that she "receives call from work comp adjusters for doctors reports, dictations and other reports, tests related to the work comp cases". The PASR stated that Patient 1's work comp adjuster called and requested to have Patient 1's doctor work comp report, any dictations faxed over. The PASR stated that the adjuster provided the fax number. The PASR faxed the requested information to the adjusters fax number. The PASR stated that a realtor called and informed them that she had received information that did not belong to her.On 1/16/14 at 2:45 P.M., an interview was conducted with the lead of patient access (LPA). The LPA stated that PASR came to her and informed her of the inadvertent fax to the realtor. The LPA stated that the realtor did not leave name or number. The LPA faxed a letter to the realtor to contact LPA. The realtor contacted the LPA and stated that she opened the fax by her computer, realized it was a "HIPAA (Health Insurance Portability and Accountability Act)" issue, which was why she called and after she called that it was deleted. On 1/16/14 at 3:00 P.M., a review of Patient 1's records that were faxed to the realtor was reviewed. The faxed information included: 1) Patient 1's hospital face sheet that contained Patient 1's name, date of birth (DOB), age, sex, home address, cell and home phone number, employer name and address, diagnosis, date of injury and medical record number. 2) Patient 1's, "doctors first report of occupational injury or illness" which included Patient 1's name, DOB, age, sex, home address, home phone number, social security number, employer name and address, where the injury occurred, the date/time of injury, date last worked, date/hour of the first exam/treatment, treating doctors name, address, phone number and license number.3) Patient 1's emergency room note dated 10/30/13 that included Patient 1's admit number, medical record number, date of service, DOB, chief complaint, history of present illness, review of systems, physical examination, emergency room course, clinical impression, disposition and plan.4) Patient 1's X-ray results dated 10/30/13, which included, reason for exam, examination, history, findings and impressions.AND,5) Patient 1's emergency room discharge summary dated 10/30/13, which included, Patient 1's name, sex, marital status, medical record number, age, DOB, language, phone number, account number, visit reason, address, provider name, vital signs, physician orders, prescriptions given, and patient education.A review of the hospital's policy and procedure, entitled "Health Information, Access, Use and Disclosure", dated 11/12, indicated "...3. Category III: Disclosure Requiring Authorization from the Patient/legal Representative a. Disclosure of Protected health Information for any reason... requires patient/legal representative authorization." The policy and procedure entitled, "Data Encryption and Transmission Security", dated 05/12, indicated "...IV. Text: A. Roles and Responsibilities: 2. (name of hospital) management is responsible, within their business unit, for supporting and monitoring appropriate and reasonable security policies... a. Facsimile or electronic communications shall be restricted to External Parties who have a legal or regulatory right to the data..."The department of Patient Access Service's internal policy and procedure entitled "Facsimile of Protected health Information", indicated "Fax Safeguards: verify accuracy of fax numbers with intended recipient before sending a fax, When faxing PHI (protected health information), verify fax number and availability of recipient prior to sending".The health care worker's failure to double check and validate the correct fax number with the work comp adjuster prior to faxing Patient 1's medical information, resulted in the inadvertent and unauthorized release of protected health record information. This was also in violation of the patient's right to confidentiality of all communications and record pertaining to health care received at the hospital.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights