Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF THE MONTEREY PENINSULA
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 7, 2013. Also cited in 24 other reports.
Report ID: BFVP11.02, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF THE MONTEREY PENINSULA
Issue:
Based on interview and record review, the hospital failed to protect the right for confidential treatment of medical records for one of one sampled patient (1), when unauthorized staff accessed the patient's medical information. Findings: During an interview on 1/7/13 at 11:30 a.m., the privacy officer (PO) stated Patient 1 was a hospital employee. The PO stated due to the potential for employees to access Patient 1's record, she and her assistant performed an audit of staff who had accessed Patient 1's electronic record, including what medical information was seen, and when. She stated the 11/28/12 audit indicated six employees (EA, EB, EC, ED, EE, and EF) had accessed the record without legitimate business reasons to do so, and in violation of hospital policy and procedure. During further interview on 2/6/13 at 11:57 a.m., the PO stated the audit of Patient 1's record began on 11/14/12. She stated the first detection of possible unauthorized access was on 11/19/12 and the audit was completed on 12/5/12. The PO stated she and the manager for each employee conducted an internal investigation. The PO stated in interviews conducted during the investigation, EA stated she liked to see how people were doing, EB stated he logged on to the computer but walked away and left it unsecured in a high traffic area. EC stated she also logged on but left the computer unsecured in a high traffic area, ED stated she wanted to pray for the patient, EE stated she was following-up on the patient, and EF stated she wanted to see if the patient was in the intensive care unit.On 1/9/13 a review of the hospital electronic record audit indicated the following:EA accessed the record on 11/10/12 and viewed patient location and business information and diagnostic study results. EB accessed the record on 11/9/12 and viewed patient business information and medical records.EC accessed the record on 11/5/12 and viewed patient location, business information, and medical records.ED accessed the record on 11/7, 11/8, 11/9, and 11/13/12 and viewed patient location and business information. EE accessed the record on 11/11/12 and viewed the entire medical record. EF accessed the record on 11/14/12 and viewed patient location, business information, and part of the medical record. During an interview on 1/16/13 at 11 a.m., ED stated she accessed Patient 1's record on "more than one occasion" because she was concerned about Patient 1's condition. ED stated she did not have a business reason to access the record. She stated she received annual training regarding confidentiality of records but on this occasion was lax because she had known the patient for many years. During an interview on 1/17/13 at 8:15 a.m., EB stated on 11/9/13 using a password, he logged on to a computer terminal located near a hospital entrance in a high traffic area. He stated he used the computer to document patient care. He stated he went on a break without logging off the computer. EB stated someone other than himself used the computer under his password to view Patient 1's record during the time he was on break. EB stated he received annual information security training, but decided to take a chance on staying logged on during the break. He stated the log-on procedure takes some time to do and repeated logging on and off can be time consuming. On 1/11/13 a review of the 3/2012 hospital policy and procedure titled "Confidentiality of Patient and Hospital Business Information" indicated employees must treat patient information in a confidential manner. The policy indicated employees were not permitted to view patient information for reasons of personal interest or for reasons outside the employee's responsibilities. On 1/11/13 a review of the 4/2010 hospital policy and procedure titled "Workstation Acquisition, Use, and Security Policy" indicated employees must not leave the computer workstation unsupervised for any period of time while logged on in high traffic areas.Information viewed included the patient's name, current location, visit reason, allergies, address, phone number, age, gender, marital status, birth date, religious affiliation, physician orders, diagnostic test results, history and physical, progress notes, consultation notes, patient care plans, vital signs, assessments, interventions, and legal documents.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights