Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SAINT AGNES MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 7, 2014. Also cited in 16 other reports.
Report ID: MT9711.01, California Department of Public Health
Reported Entity: SAINT AGNES MEDICAL CENTER
Issue:
Based on staff interview, clinical and administrative document review, the hospital failed to keep Protected Health Information (PHI) for 3 Patients (Patients 2, 3, and 4) confidential when:1. Patient 1 was given Patient 2's armband containing PHI (refer to CA00383055).2. Patient 3's itemized bill was faxed to a private residence (refer to CA00386728).3. Patient 4's itemized bill was given to Patient 5 in error (refer to CA00385750).These failures resulted in not protecting the PHI for Patient 2, 3, and 4 and had the potential for unauthorized use. Findings: 1. Refer to CA00383055On 3/7/14 at 10:00 a.m., during an interview, the Privacy Officer stated that on 12/26/13 two patients were admitted who had the same first and last name. Patient's 2 armband containing PHI was placed on Patient 1. Patient identification on the armband was not double checked by the admitting clerk prior to placing it on Patient 1. Patient 2's PHI breached included name, date of birth, and medical record number. The facility policy and procedure titled " Privacy and Confidentiality Policy" dated 9/17/09, indicated: "The [Hospital] recognizes the importance of safeguarding and valuing the privacy of all patients' confidential information. Access and distribution of confidential information is limited to authorized individuals in the performance of normal job-related functions. Accessing, distributing, or using confidential information for any purpose other them performing normal job-related functions is a violation of privacy and confidentiality. Information should be provided only to those with the need to know in order to perform their job." 2. Refer to CA00386728On 3/7/14 at 10:00 a.m., during an interview, the Privacy Officer stated the Billing Department clerk faxed Patient 3's itemized bill to a private residence in error. The clerk did not double check the fax number prior to sending the itemized bill. Patient 3's PHI breached included name, address, insurance information, description of services, total charges and payments on account. The facility policy and procedure titled "Privacy and Confidentiality Policy", dated 9/17/09, indicated: "The [Hospital] recognizes the importance of safeguarding and valuing the privacy of all patients' confidential information. Access and distribution of confidential information is limited to authorized individuals in the performance of normal job-related functions. Accessing, distributing, or using confidential information for any purpose other them performing normal job-related functions is a violation of privacy and confidentiality. Information should be provided only to those with the need to know in order to perform their job." 3. Refer to CA00385750On 3/7/14 at 10:05 a.m., during an interview, the Privacy Officer stated that on 1/21/14, a copy of the itemized bill for Patient 4 was given to Patient 5 in error. The billing clerk did not double check the information on the itemized bill prior to giving it to Patient 5. The itemized bill contained Patient 4's name, address, insurance information, description of services, total charges and payments on the account. The facility policy and procedure titled "Privacy and Confidentiality Policy", dated 9/17/09, indicated: "The [Hospital] recognizes the importance of safeguarding and valuing the privacy of all patients' confidential information. Access and distribution of confidential information is limited to authorized individuals in the performance of normal job-related functions. Accessing, distributing, or using confidential information for any purpose other them performing normal job-related functions is a violation of privacy and confidentiality. Information should be provided only to those with the need to know in order to perform their job."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights