Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SANTA CLARA VALLEY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 12, 2014. Also cited in 90 other reports.
Report ID: UX7L11.01, California Department of Public Health
Reported Entity: SANTA CLARA VALLEY MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to prevent the unauthorized access of patient health information (PHI), when a clinic staff member (Staff A) accessed Patient 1's PHI without a job related reason to do so. The California Department of Public Health received a faxed report on 2/25/13, which indicated Patient 1's acquaintance knew medical knowledge about Patient 1, which Patient 1 had neither disclosed nor consented for Patient 1's acquaintance to know. During an interview on 5/12/14 at 3 p.m., in the presence of the compliance and privacy officer, the quality improvement manager, and the Ethics and Compliance officer, the following was stated. Patient 1 notified hospital staff, Patient 1's acquaintance knew medical information regarding her care received at the hospital. An audit of Patient 1's medical record was conducted and the hospital identified Staff A had accessed Patient 1's PHI on two separate occasions, 2/19/13 and 2/20/13. The hospital determined Staff A had no business related reason to access Patient 1's PHI because Staff A did not work at the clinic where Patient 1 was receiving care. A review on 5/20/14 of a copy of the audit log, indicated Patient 1's medical record was accessed via computer, on 2/19/13 at 2:58 p.m. and on 2/20/13 at 3:01 p.m. The audit log indicated the user ID accessing Patient 1's medical record belonged to Staff A.A review on 6/4/14 of an email correspondence sent to the Department from the hospital indicated, the audit log did not provide details to what information was accessed by Staff A, but Staff A could have accessed the following information regarding Patient 1; demographic information, emergency contact information, insurance information, clinical orders. and appointment information. On 5/23/14 review of a copy of a letter sent to Patient 1 from the hospital indicated Patient 1's medical information was disclosed. Disclosed information included date of and reason of a visit, and procedure performed.Staff A was terminated by the Hospital and was unable to be interviewed.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280