Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Scripps Mercy Hospital
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 11, 2012. Also cited in 72 other reports.
Report ID: JIP411.02, California Department of Public Health
Reported Entity: SCRIPPS MERCY HOSPITAL
Issue:
Based on interview and record review, the hospital failed to safeguard protected health information (PHI) from unauthorized persons, in accordance with their policies and procedures, for 2 of 2 sampled patients (Patient 1 and Patient 2). Findings:1. On 5/9/12 at 4:56 P.M., the hospital reported to the Department that an unauthorized disclosure of patient information occurred when Patient 1's radiology report was faxed by the hospital's system to an Emergency Medical Group (not the intended recipient).A review of Patient 1's medical record was conducted on 7/11/12 at 9:05 A.M. Patient was admitted to the hospital's Emergency Department on 4/30/12, per the facesheet. A radiology report dated 4/30/12, contained the following confidential patient information: patient's name, attending physician name, date of birth, age, sex, date of service, medical record number, examination type, patient history, procedure date/time, and radiology findings.A telephone interview with a programmer specialist (PSI) for the imaging team was conducted on 7/11/12 at 4:30 P.M. The PSI stated that the hospital's system that automatically faxes documents should have been updated to reflect current physician information. She stated that the hospital had methods to ensure that updates were done periodically and also manually when necessary. A review of the hospital's policy and procedure entitled "Health Information, Access, Use and Disclosures", effective date of 2/12, was conducted. The policy indicated that the hospital shall access use and disclose protected health information with authorization of patient/legal representatives and in accordance with mandated state and federal disclosure requirements. Per the same policy, it indicated that "All personnel providing services within the (hospital name) organization to include but not limited to employees, volunteers, physicians, Allied Health Professionals, students and contracted and affiliated business associates are responsible for: 1. Awareness of this policy and it's requirements for protecting patient health information from unauthorized access, use or disclosure." An interview with the Patient Relations Coordinator (PRC) was conducted on 7/11/12 at 4:40 P.M. The PRC acknowledged that the hospital's auto-fax system was not updated with the physician's current information. She acknowledged that an unauthorized disclosure occurred when Patient 1's radiology report was faxed inadvertently to an Emergency Medical Group instead of the intended recipient.2. On 5/9/12 at 4:56 P.M., the hospital reported to the Department that an unauthorized disclosure of patient information occurred when Patient 2's radiology report was faxed by the hospital's system to an Emergency Medical Group (not the intended recipient).A review of Patient 2's medical record was conducted on 7/11/12 at 9:05 A.M. Patient 2 was admitted to the hospital's Emergency Department on 5/4/12, per the facesheet. A radiology report dated 5/5/12, contained the following confidential patient information: patient's name, attending physician name, date of birth, age, sex, date of service, medical record number, examination type, patient history, procedure date/time, and radiology findings.A telephone interview with a programmer specialist (PSI) for the imaging team was conducted on 7/11/12 at 4:30 P.M. The PSI stated that the hospital's system that automatically faxes documents should have been updated to reflect current physician information. She stated that the hospital had methods to ensure that updates were done periodically and also manually when necessary. A review of the hospital's policy and procedure entitled "Health Information, Access, Use and Disclosures," effective date of 2/12, was conducted. The policy indicated that the hospital shall access use and disclose protected health information with authorization of patient/legal representatives and in accordance with mandated state and federal disclosure requirements. Per the same policy, it indicated that "All personnel providing services within the (hospital name) organization to include but not limited to employees, volunteers, physicians, Allied Health Professionals, students and contracted and affiliated business associates are responsible for: 1. Awareness of this policy and it's requirements for protecting patient health information from unauthorized access, use or disclosure." An interview with the Patient Relations Coordinator (PRC) was conducted on 7/11/12 at 4:40 P.M. The PRC acknowledged that the hospital's auto-fax system was not updated with the physician's current information. She acknowledged that an unauthorized disclosure occurred when Patient 2's radiology report was faxed inadvertently to an Emergency Medical Group instead of the intended recipient.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights