Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Mercy Medical Center
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 23, 2012. Also cited in 34 other reports.
Report ID: CFNF11, California Department of Public Health
Reported Entity: MERCY MEDICAL CENTER
Issue:
Based on staff interview and administrative document review the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's electrocardiogram (EKG) report was mistakenly given to Patient 2.2. A label containing Patient 3's PHI was mistakenly given to Patient 4.This failure placed Patient 1 and Patient 3 ' s PHI at a potential risk for unauthorized use.Findings;Refer to CA003040151. On 4/26/12 at 12:15 p.m., Staff 1 (Privacy Officer) stated on 3/19/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed on 3/16/12 Staff 2 (Registered Nurse) mistakenly gave Patient 1's EKG report to Patient 2. Staff 1 stated it was Staff 2's responsibility to check the patients identification band to ensure the right patient received the right information.On 4/27/12 at 2:15 p.m., the EKG report was reviewed and contained Patient 1's name, date of birth, date of service, account number, medical record number, attending physician and diagnostic findings.On 3/6/12 at 4:40 p.m., the facility policy and procedure number IM-312 titled "Safeguarding of Protected Health Information and Sensitive Information" contained the following documentation: "It is the policy of [Hospital] to comply with state and federal regulations regarding the safeguarding of physical and electronic form of Protected Health Information (PHI). Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity."Refer to CA003063502. On 4/26/12 at 12:15 p.m., Staff 1 stated on 4/5/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed on 3/29/12 a label containing Patient 3's PHI was mistakenly given to Patient 4. Staff 1 stated it was Staffs responsibility to checked the patients identification band to ensure the right patient received the right information.On 4/26/12 at 12:28 p.m., Staff 1 stated the label contained Patient 3's name, date of birth, date of service, attending physician, account number and medical record number.On 3/6/12 at 4:40 p.m., the facility policy and procedure number IM-312 titled "Safeguarding of Protected Health Information and Sensitive Information" contained the following documentation: "It is the policy of [Hospital] to comply with state and federal regulations regarding the safeguarding of physical and electronic form of Protected Health Information (PHI). Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights