Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SAN ANTONIO REGIONAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 15, 2015. Also cited in 35 other reports.
Report ID: QDGB11.01, California Department of Public Health
Reported Entity: SAN ANTONIO REGIONAL HOSPITAL
Issue:
Based on interview and record review, the facility failed to ensure that their policy and procedure for confidentiality of protected health information (PHI) was implemented when the Medical Staff Coordinator accessed Patient A's electronic health record (EHR) without a business need to know. This resulted in an unauthorized disclosure of Patient A's PHI.Findings:On April 15, 2015 at 2:45 PM, a phone interview was conducted with the Director of Health Information Management (HIM) regarding an entity reported incident of a breach of Patient A's PHI detected by the facility on April 29, 2014. The Director of HIM stated the Medical Staff Coordinator accessed a patient's (Patient A) EHR without a need to view in order to do her work.The Director of HIM stated that Patient A was notified on May 7, 2014, of the breached PHI, and provided a copy of the letter.On April 20, 2015 at 3:00 PM, a phone interview was conducted with the Senior Vice President of Administrative Services and Compliance regarding this entity reported incident. The Senior Vice President of Administrative Services and Compliance stated, the Director of Medical Staff Services requested a random internal audit be conducted on the facility's EHR system. The Senior Vice President of Administrative Services and Compliance stated the audit (documented on a form known as P - 2 Sentinel Report) showed the name of employee involved (Medical Staff Coordinator) had accessed a patient's (Patient A) EHR on April 21, 2014 at 0632 (6:32 AM). The Senior Vice President of Administrative services and Compliance stated, "She had no reason to be in that chart."On April 28, 2015 at 12:00 PM, a phone interview was conducted with the Medical Staff Coordinator regarding this entity reported incident. The Medical Staff Coordinator stated she came in to work and saw several dietary staff and they told her about a dietary employee (Patient A) being a patient upstairs. When other staff members from her department came in to work they mentioned they had heard about Patient A as well. The Medical Staff Coordinator stated, "He is a co-worker, but a friend also." The Medical Staff Coordinator stated she purchased a card from the gift shop, but not knowing his (Patient A's) location, she went in to his (Patient A's) EHR to find his room number. The Medical Staff Coordinator stated, "It was stupid and inappropriate. I know better."The Medical Staff Coordinator stated she only accessed Patient A's EHR to locate the room number in order to send the card. The Medical Staff Coordinator stated when she opened Patient A's EHR the chart opened up on the screen and she scrolled to the bottom of the page and located Patient A's room number. The Medical Staff Coordinator denied accessing Patient A's chart to view Patient A's medical information. The Medical Staff Coordinator stated she did not open the individual tabs which would have opened the areas where the medical information was stored.The Director of Medical Staff Services was unable to be interviewed due to no longer being an employee at facility.A copy of the letter sent to Patient A dated May 7, 2014, informing him about the breach of PHI was reviewed.A review of the audit document known as "P - 2 Sentinel Report" listed under headings titled "Personnel name" - Medical Staff Coordinator's name, "Participant Name" - Patient A's name, "Event Type" - open chart, "Event Name" - view encounter, "Role" - Quality Assurance, "Nurse / Unit" - Risk Manager, "Medical Record Number" - Patient A's medical record number, and "Timestamp" - 04/21/2014 06:32:31 PDT (6:32:31 AM Pacific Daylight Time).A review of the facility's policy and procedure titled, "Confidentiality, Breach of Confidential Information - Discipline" dated July 2008 and revision date June 2009, indicated "Employees are prohibited from unauthorized or inappropriate accessing, using, disclosing, viewing, or handling of confidential information..."A review of the facility's policy and procedure titled, "Confidentiality, Protecting Confidential Information" dated July 2008, indicated "Access to confidential information must be granted based on the minimum necessary regulatory standards, and only to workforce members who have a valid business need."The facility failed to ensure the privacy and confidentiality of Patient A's PHI when the facility's policy and procedure for confidentiality of PHI was not followed resulting in an unauthorized release of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights