Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST JUDE MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 4, 2014. Also cited in 29 other reports.
Report ID: JMSE11, California Department of Public Health
Reported Entity: ST JUDE MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent the disclosure of 13 patients' protected health information (PHI) to unauthorized individuals (Patients A, B, Ea, Eb, Ec, F, G, H, Ia, Ib, J, K, and L).Findings:1. Review of hospital documents showed, on 10/17/11, the Privacy Officer was made aware a breach of Patient A's PHI occurred. On 10/14/11, a staff in the Patient Financial Services department (PFS) registered a patient with the same first and last name and the same date of birth (DOB) as Patient A. Investigation showed these two patients had different middle names. The incorrect patient was registered and subsequently the incorrect insurance company was billed for services provided to the incorrect patient.Patient A's disclosed PHI included full name and services rendered.2. Review of the hospital's investigation showed, on 10/27/11, the health information management (HIM) department was notified by a physician's office they were faxed a medical record of a patient who did not receive services from the physician. It was found that a HIM staff inadvertently picked up the wrong medical record from the printer and faxed it to the incorrect physician. Patient B's disclosed PHI included name, DOB and medical record contents, such as history and physical, progress notes, medications, laboratory and test results, demographic and insurance information.3. Review of hospital documentation showed the Privacy Officer was notified on 3/16/12, that on 2/11, 2/27 and 3/16/12, three different patients were mistakenly given the discharge instructions belonging to other patients during the discharge process. Patient's Ea, Eb and Ec's disclosed PHI included patient identifiers (names, DOB, height, weight), medications and aftercare instructions. 4. Review of the hospital's investigation showed on 3/16/12, a breach of Patient F's PHI occurred. A Social Worker working on placement of a patient for a lower level of care chose a name similar to the one intended; however, chose and faxed clinical information belonging to Patient F, the incorrect patient, to three different locations in the community.Patient F's disclosed PHI included name, DOB, insurance information and clinical information. 5. On 3/12/12, Patient G called the PFS department with documented information to show her employer was billed for her hospitalization on 2/15/12, and this was confirmed in the hospital's documentation. The investigation showed during the registration process the previous guarantor (payor) information was carried over and the wrong entity was billed.Patient G's disclosed PHI included name, DOB, and insurance information.6. Review of the hospital's documentation showed a patient contacted PFS on 3/20/12, and informed them of finding another patient's information in their paperwork that was mailed to them. The hospital's investigation showed that patient's paperwork was sent out on or about 2/23/12.Patient H's disclosed PHI included name, DOB, date of services and charges.7. Review of hospital documentation showed on 3/29/12, the Privacy Officer was made aware a breach of Patient Ia's PHI occurred on 3/19/12, and a breach of Patient Ib's PHI occurred on 3/29/12.Review of the hospital's investigation showed two other patients were in the Emergency Department (ED); upon their discharges the patients received the discharge instruction forms belonging to Patient's Ia and Ib.Both Patient Ia and Ib's disclosed PHI included names, DOBs, discharge/aftercare instructions and medical record numbers (MR#'s).8. Review of hospital documentation showed on 3/20/12, the Privacy Officer was notified a patient who was discharged from the ED was given the discharge instructions belonging to Patient J. The investigation showed there were two patients with similar names with the same diagnosis and both sets of discharge instructions had Patient J's name on them.Patient J's disclosed PHI included name, DOB and MR#.9. Review of hospital documentation showed on 4/2/12, a physician in the ED accessed the electronic medical record of Patient K on the computer, as Patient K was a patient in the ED. However, when the physician was done and left the ED, the computer screen was left open to the electronic medical record of Patient K. A staff, without the need to know, passed by and viewed the computer screen open to the electronic medical record of Patient K and closed it. Patient K's PHI was disclosed to an unauthorized person.10. Review of the hospital's investigation, dated 1/4/12, showed a Physician Assistant who discharged a patient from the ED noticed, after the patient left, the instructions given to the discharged patient belonged to Patient L. Patient L's disclosed PHI included the discharge instructions with date of service, name, DOB, and MR#.On 3/17/14 at 1300 hours, a conference call with the Manager of Regulatory Compliance/Clinical Outcomes confirmed the breaches occurred as documented.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280