Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SHARP CHULA VISTA MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on September 26, 2014. Also cited in 46 other reports.
Report ID: P04111, California Department of Public Health
Reported Entity: SHARP CHULA VISTA MEDICAL CENTER
Issue:
Based on interview, record and document review the hospital failed to ensure that a Patient's personal and protected health information (PHI) was kept confidential when an Access Service Representative (ASR) 1 accessed Patient 1's medical record using ASR 2's computer while logged into the computer system. As a result of this failure, ASR 1 had access to Patient 1's personal information.Findings:An investigation of an entity reported privacy breach was initiated on 9/26/14. It was reported to the California Department of Public Health that, on 9/12/14 an unauthorized and inadvertent disclosure of Patient 1's medical information had been accessed by an employee of the hospital. On 9/26/14 at 1:35 P.M., an interview was conducted with the Human Resource Director (HRD). The HRD stated that ASR 1 was on a leave of absence (LOA) and was not due to return back at work until 9/15/14. The HRD stated that ASR 1 came to the hospital on 9/12/14 and asked ASR 2, "to do her a favor" while ASR 2 was logged into the computer. The HRD stated that ASR 1 had told her (HRD) that she wanted to print a physician order so she could schedule an appointment for Patient 1. ASR 1 denied that she had touched ASR 2's computer initially but then told HRD "I should have gone into onbase (documenting imagine system)." On 9/26/14 at 2:13 P.M., an interview was conducted with ARS 2. ARS 2 stated that ARS 1 had come to her and asked her if she was logged into the computer and that ARS 2 responded "yes." ARS 2 stated that ARS 1 asked "can I see something, can I see your computer." ARS 2 stated that she got up and allowed ARS 1 to access the computer. ARS 2 stated that ARS 1 then asked "do you know how to print", and ARS 2 responded "no." ARS 2 stated that she heard the printer and that after ARS 1 had left. ARS 2 stated that she used the drop down screen and saw that ARS 2 had accessed Patient 1's medical record. On 9/26/14 at 2:35 P.M., an interview was conducted with the Patient Access Representative (PAR). PAR stated that ARS 1 had called her on 9/12/14 and mentioned something about, "just wanting to check something on Patient 1 and something about an order", then asked PAR if she could do her a favor. PAR stated that she told ARS 1 "no that she was busy." PAR stated that approximately 30 minutes later that ARS 1 had called a second time and requested a favor and PAR again responded that she was still busy. PAR stated that ARS 1 showed up at the hospital but that she was busy with a patient. On 10/30/14 at 1:45 P.M., an interview was conducted with the Lead Patient Account Specialist (LPAS). The LPAS stated that she was made aware that ASR 1 came to the hospital but that ASR 1 was on LOA. LPAS stated she called ASR 1 to inquire about being at the hospital and that ASR 1 denied that she had been at the hospital.On 10/30/14 at 1:55 P.M., an interview was conducted with HRD. HRD stated that ASR 1's employee badge was used to access the employee area. A review of the document titled "Access Denial, Granted and Other Badge Events...", dated 9/18/14, indicated on 9/12/14 at 7:29 P.M. "Access Granted on Facility Code...Main Lobby PAS...(ASR 1's name and employee number)."On 11/4/14 at 2:10 P.M., an interview was conducted with ASR 1. ASR 1 stated that she never accessed Patient 1's medical record and that it was ASR 2 that accessed the medical record. ASR 1 denied printing any information or that she had entered the department while on LOA. ASR 1 acknowledged that she did enter the department when made aware of the document titled "Access, Denial, Granted and Other Badge Events."A review of the hospital's policy and procedure, entitled "Confidentiality of Information", dated 9/14, indicated "I. Purpose: To establish policy to meet (hospital name) legal and ethical responsibility to protect the confidentiality of all Sensitive Information (financial, medical, demographic). II...Unauthorized access: the inappropriate access, review, or viewing of patient medical information without a direct need for medical diagnoses, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act..."The ASR 1's failure to follow the policy and procedure with regards to the accessing of Patient 1's medical record without a direct need, and ASR 2 allowing ASR 1 to use her computer, resulted in the inadvertent and unauthorized access of Patient 1's protected health record information. This was also in violation of Patient 1's right to confidentiality of all communications and record pertaining to health care received at the hospital.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights