Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CONTRA COSTA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 2, 2014. Also cited in 103 other reports.
Report ID: 7MYX11, California Department of Public Health
Reported Entity: CONTRA COSTA REGIONAL MEDICAL CENTER
Issue:
Based on interview and document review, the facility failed to prevent unauthorized access to eight patients' protected health information.Findings:In interview on 6/2/14 at 11 a.m., Staff A stated that on 3/11/14, Staff B reported to her that Staff C was "bullying" him and had accessed the medical record of Patient 1 allegedly in order to find out if Staff B had made any any mistakes. Staff A audited Staff C's access to medical records and discovered that Staff C had accessed the records of 8 patients whose information he did not have the authority to access. Staff A stated that only the clinic charge nurse and the nurse manager have the authority to access all records. Other staff members can only access the records of patients for whom they are providing care. Staff A stated that the breaches were reported to Staff D on 3/18/14. In interview on 6/2/14 at 11:30 a.m., Staff D stated that on 3/20/14, three days after discovery, letters were sent to all eight patients whose information had been breached. Staff D stated that she reported the breaches to the department on 3/20/14 as well.Review of facility policy "Confidentiality of Patient/Client Information" on 6/2/14 demonstrated that inappropriate review or viewing of patient information without a direct need for diagnosis, treatment, or other lawful use is considered unauthorized access. Employees shall only have access to patient/client information as needed to carry out their specific job duties.Document review on 6/2/14 demonstrated that Staff C had signed a document on 6/20/13 stating that he had read and understood the policy on confidentiality of patient information and the policy on health services network and internet use. He signed that he understood that he would be subject to disciplinary action up to and including termination of his employment contract if he violated any provision of the policies.Document review on 6/2/14 verified that all eight patients and the department were informed of the protected health information breaches within five business days of discovery of the breaches.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280