Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST. HELENA HOSPITAL CENTER FOR BEHAVIORAL HEALTH
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 1, 2013. Also cited in 13 other reports.
Report ID: JRZQ11, California Department of Public Health
Reported Entity: ST. HELENA HOSPITAL CENTER FOR BEHAVIORAL HEALTH
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of a patient's (Patient 1) medical information when Patient 1's chart was sent to another California County which was not involved with the patients' care. This failure allowed the unlawful or unauthorized access to a patient's medical information. Findings:The California Department of Public Health was notified on 4/30/13 that a, "Breach of Protected Health Information (PHI)", occurred on 4/24/13.During an interview on 5/1/13 at 2 p.m., Administrative Staff A stated that she received notice from Licensed Staff B, on 4/29/13, indicating that Unlicensed Staff C had called to notify her, on 4/29/13, that the Wrong County had received Patient 1's PHI. Licensed Staff B had mailed Patient 1's chart, on 4/24/13, to the Wrong County's billing department to collect payment for Patient 1's stay at the facility. Administrative Staff A further stated that Patient 1's PHI should have been sent to the Right County and that Licensed Staff B had made a human error and not double checked the Wrong County address. Patient 1's PHI included his full name, account number, medical record number, home address, telephone number, last 4 digits of his social security number, date of birth, age, gender, physician name, diagnoses, insurance carrier, admission date, history of illness, allergies, immunizations, family history, social history, developmental history, neurological/mental/physical exam, discharge date, and discharge instructions.Review of the facility Policy and Procedure for "Workforce Awareness and Compliance Related to HIPAA Privacy Rule" (dated 10/4/02) reveals the following: "Under basic legal principles of respondeat superior, an employer is legally responsible for the behavior (and misbehavior) of its workforce...The HIPAA Privacy and Security Rules mandate that every covered entity have necessary and appropriate protections in place to control access to protected health information (PHI) and to prohibit unauthorized access to and dissemination of such information. Privacy cannot be protected unless the provider, payer and health plan take appropriate steps to guard that information and make reasonable and appropriate efforts to see that members of the workforce comply with privacy and security policies and procedures".
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280