Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 17, 2014. Also cited in 55 other reports.
Report ID: UEWP11.01, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patient B, when Patient A was given Patient B's demographic information at the time of registration which resulted in an unauthorized disclosure of Patient B's PHI.Findings:On December 10, 2014 at 10:15 AM, a phone interview was conducted with Employee 1 and the Risk Manager (RM) regarding an entity reported incident of a breach of PHI for Patient B, detected on August 25, 2014. During the phone interview, Employee 1 stated that Employee 2 prepared a chart for Patient A prior to her appointment. She further stated that when Patient A came in to be seen on August 25, 2014, she was inadvertently given Patient B's demographic information. During further interview with Employee 1, she stated that Patient A signed that the demographic information was correct. Employee 1 stated that Patient A was sweating profusely and was believed to have low blood sugar so she was taken back to be seen quickly, and that Patient A did not read what she signed due to her symptoms. Employee 1 further stated that when the nurse checked the name and the date of birth on the chart, that the nurse realized the patient DOB (date of birth) and address on the form did not match the DOB and address in the chart. Employee 1 stated that the process for checking patient's identification is to use 2 patient identifiers, DOB and name.During a concurrent interview with Employee 1 and the RM, the RM stated that Patient B was notified of the breach of PHI by mail on August 29, 2014. During the interview with the RM, she stated that Employee 2 who assembled the chart had retired and was not available for interview. During a review of the documentation, it was noted that both Patient A and Patient B had the same first and last names. A copy of the breached information was reviewed which included the patients name, address, age, sex, marital status, race, religion, language spoken, next of kin name and address and phone number, emergency contact name, address and phone number, insurance information and physician name.A copy of the certified letter mailed to Patient B on August 29, 2014 informing her of the breach was present. A copy of Employee 1 and Employee 2's Confidentiality Agreement, General Orientation, and Educational Transcripts were reviewed, which included HIPAA training. A review of the facility's policy and procedures titled "Confidentiality" dated January 22, 2014 states "The employee will follow all (Facility 1's) policies and procedures and the Standards of Conduct, and will take all precautions to prevent any intentional or unintentional use or disclosure of patient health information without the signed authorization of the patient". The facility failed to ensure the correct patient information was given to Patient A resulting in unauthorized release of Patient B's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights