Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF THE MONTEREY PENINSULA
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 12, 2013. Also cited in 24 other reports.
Report ID: DHT811.01, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF THE MONTEREY PENINSULA
Issue:
Based on interview and record review, the hospital failed to prevent unauthorized access to one patient's (Patient 1) medical information by three hospital staff. Findings:On 4/26/13 the California Department of Public Health received a faxed report from the hospital compliance director which indicated the hospital identified unauthorized access to Patient 1's health information.During an interview on 7/12/13 at 9:30 a.m., the compliance director stated the hospital considered Patient 1 a high profile patient and conducted a review of his electronic record access. The hospital determined Staff A, B and C accessed the medical record of Patient 1. The compliance director stated Staff A accessed the information on 3/30/13, Staff B on 3/31/13 and Staff C on 3/31/13. The information included name, date of birth, medical record number, physician, and diagnosis. The compliance director stated the three staff members had no clinical or business need to access the information. All staff members were suspended for seven days and Staff C was terminated.During an interview on 7/19/13 at 9:30 a.m., Staff A stated she clicked on Patient 1's name in the electronic record which then opened access to Patient 1's name, date of birth, medical record number, physician, and medical diagnosis. She had been requested to do so by a physician to determine Patient 1's whereabouts in the hospital. Staff A stated at the time she had no clinical or business need to view the information.Record review on 7/12/13 at 9:30 a.m. indicated Staff A completed an inservice on compliance and privacy on 8/24/12.During an interview on 7/22/13 at 7:00 a.m., Staff B stated she clicked on a heading in the electronic medical record which exposed Patient 1's name, date of birth, medical record number, physician, and diagnoses. She reviewed Patient 1's clinical record to plan what therapy would be necessary for his rehabilitation. Staff B stated at the time she was not assigned to Patient 1's care and therefore had no clinical or business need to access the information.According to the compliance director, "User Audit Report confirmed Staff C had accessed the same information as Staff A and B and ultimately was terminated. Staff C completed an inservice on privacy and compliance on 8/18/12. Despite multiple attempts Staff C could not be contacted for interview regarding this investigation. Telephone messages were left and none were returned.Record review on 7/19/13 at 1:30 p.m., of the hospital personnel manual dated 3/2012, indicated, "Everyone is expected to treat patient and hospital information in a respectful, professional, and confidential manner. Such information should never be viewed or discussed with another for reasons of personal interest or for reasons outside the employee's responsibilities."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280