Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Scripps Mercy Hospital
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 5, 2012. Also cited in 72 other reports.
Report ID: I5H211.02, California Department of Public Health
Reported Entity: SCRIPPS MERCY HOSPITAL
Issue:
Based on interview and record review, the hospital failed to safeguard protected health information (PHI) from unauthorized persons in accordance with their policies and procedures, for 1 of 1 sampled patient (Patient 1). Contents of Patient 1's medical record were faxed to an office interior design company.Findings:On 12/28/11 at 4:40 P.M., the hospital reported to the Department that an unauthorized disclosure of patient information occurred when Patient 1's Emergency Department Record, consultation report and radiology result report were inadvertently faxed to an office interior design company.A review of Patient 1's medical record was conducted on 1/5/12 at 3:15 P.M. Patient 1 was admitted to the Emergency Department on 12/25/11 per the facesheet. Patient 1's Emergency Record, dated 12/25/11, contained patient's name, medical record number, account number, date of service, chief complaint, history, physical exam findings, medication, allergies, diagnosis and treatment plan. Patient 1's consultation report, dated 12/25/11, contained the same information found in the Emergency Record. Patient 1's radiology result report had the patient's name, age, physician name, procedure performed and the findings of the exam.A telephone interview with the health information staff (HS 1) was conducted on 1/6/12 at 10:30 A.M. HS 1 stated that she did not verify that she had the correct fax number prior to sending the fax. She stated that the hospital's policy was to verify the fax number to ensure that documents were sent to the intended recipient.A telephone interview with the health information manager (HIM) was conducted on 1/6/12 at 10:45 A.M. The HIM stated that health information staff were expected to verify fax numbers before faxing confidential patient information (medical records) and confirming that correct documents were sent to the intended recipient in accordance with the hospital's policy. She acknowledged that HS 1 did not verify the fax number because Patient 1's protected health information was faxed and disclosed to an office interior design company (unauthorized person).A review of the hospital's policy and procedure entitled "Health Information, Access, Use and Disclosures" effective date of 1/09 was conducted on 11/1/11. The policy indicated that the hospital shall access use and disclose protected health information with authorization of patient/legal representatives and in accordance with mandated state and federal disclosure requirements. Per the same policy, it indicated that "All personnel providing services within the (hospital name) organization to include but not limited to employees, volunteers, physicians, Allied Health Professionals, students and contracted and affiliated business associates are responsible for: 1. Awareness of this policy and it's requirements for protecting patient health information from unauthorized access, use or disclosure."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights