Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Mercy Medical Center
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 28, 2012. Also cited in 34 other reports.
Report ID: 431811, California Department of Public Health
Reported Entity: MERCY MEDICAL CENTER
Issue:
Based on staff interview and administrative document review the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 163's discharge instructions were mistakenly given to Patient 164.2. Patient labels containing PHI for Patient's 165 and 166 were on the back of a prescription given to Patient 167.This failure placed Patient 163, 165, and 166's PHI at potential risk for unauthorized use.Findings:Refer to CA002978631. On 2/27/12 at 3:05 p.m., during an interview, Staff 1 stated on 1/27/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed on 9/22/11 Patient 163's discharge instruction was mistakenly given to Patient 164. Staff 1 stated it was Staffs responsibility to check the patients identification band to ensure the right patient received the right documents.Patient 163's discharge instructions contained the following PHI: name, date of birth, date of service, attending physician, account number and generalized care instructions.The facility policy and procedure number IM-312 titled "Safeguarding of Protected Health Information and Sensitive Information" contained the following documentation: "It is the policy of [Hospital] to comply with state and federal regulations regarding the safeguarding of physical and electronic form of Protected Health Information (PHI). Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity."2. On 2/27/12 at 2:40 p.m., during an interview, Staff 1 stated the facility became aware of a possible privacy breach. The facility's internal investigation determined a precription was given to Patient 167 with the patient labels for Patient's 165 and 166 on the back. The patient labels contained PHI.Patient 165 and 166's patient labels contained the following PHI: their names, dates of birth, dates of service, account numbers, medical record numbers, genders, physician names, treatment location and a handwritten notation of injury.The facility policy and procedure number IM-312 titled "Safeguarding of Protected Health Information and Sensitive Information" contained the following documentation: "It is the policy of [Hospital] to comply with state and federal regulations regarding the safeguarding of physical and electronic form of Protected Health Information (PHI). Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights