Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SUTTER SANTA ROSA REGIONAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 19, 2012. Also cited in 15 other reports.
Report ID: 488J11, California Department of Public Health
Reported Entity: SUTTER SANTA ROSA REGIONAL HOSPITAL
Issue:
Based on observation, staff interview and policy review, the facility failed to ensure that patient health information was protected from unauthorized access when one patient's (Patient 1) medical information was mistakenly sent to another health organization with another patient's (Patient 2) record when Patient 2 was transferred there. The failure to safeguard Patient 1's personal medical information resulted in the potential misuse and disclosure of of information to persons not involved in the patient's care.Findings:During an interview on 4/19/12 at 2:10 p.m., The Privacy Officer stated that Patient 1 and Patient 2 were both on the same unit and the Clerk or Case Manager mixed Patient 1's reconciliation medication orders with Patient 2's discharge paperwork, that was going with Patient 2 back to a health organization where he lived. Patient 1 was being admitted to the facility. The Privacy Officer stated that Patient 1's health information went with Patients 2's information, along with Patient 2 back to the health organization. The Privacy Officer stated that staff at the health organization called the facility, said that they received Patient 1's health care information in with Patient 2's health record, and shredded Patient 1's health care information. During an interview on 4/23/12 at 4:10 p.m., the Facility Case Manager stated that the incident occurred when the fax machine, that they used to copy records, received a fax of Patient 1's labs and medications, when she was copying Patient 2's records for transfer to the health organization. The Facility Case Manager stated that in the middle of copying Patient 2's record, she had to answer her pager and then came back to finish the copying of Patient 2's record. The Facility Case Manager stated that Patient 1's labs and medication information were mixed in the middle of Patient 2's health information. The Facility Case Manager stated that she put the record in a folder for transfer with Patient 2 to the health organization. The Facility Case Manager stated that staff at the other health organization called her, and she told them to shred the information. The Case Manager stated that the health organization also contacted the Privacy Officer as well.On 8/10/12 at 11 a.m., review of the facility "Notice of privacy practices" pamphlet, provided to patients, effective date 4/14/2003, indicated under "Facility Responsibilities" that except for the purpose related to providing your treatment, collecting payment for services, performing necessary business functions, or otherwise permitted or required by law, "we will not use or disclose your health information without your authorization."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280