Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 1, 2014. Also cited in 55 other reports.
Report ID: XQDE11, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview, and record review, the facility failed to safeguard confidential protected health information (PHI) for Patient A (also a facility employee), when a registered nurse/team leader (RN/TL) accessed Patient A ' s clinical record without authorization, for the purposes of determining when Patient A was admitted and discharged from the Emergency Department (ED) in order to verify timecard punches.This resulted in a breach of Patient A ' s confidential PHI.Finding:On July 7, 2014 a review of Patient A ' s face sheet was conducted. It indicated that Patient A was admitted to the ED on June 17, 2014 at 3:04 PM with a complaint of pain to the right eye.On July 9, 2014 at 3:20 PM, a phone interview was conducted with the Facility Privacy Officer (FPO) regarding a breach of PHI for Patient A, which was detected by the facility on June 20, 2014. She stated, "The RN/TL of the surgical services/sterilization process department where Patient A worked, accessed the clinical record of Patient A who was seen in the ED shortly after arriving at work on June 17, 2014, for the purposes of determining when Patient A (also a facility employee) was discharged from the ED, to verify Patient A ' s timecard punches."The FPO further stated, "Patient A did not punch out after being discharged from the Emergency Department and completed an "Oops sheet" (a document submitted to the timekeeping supervisor, used by employees to write their missed clocking ' s for manual entry into the timekeeping system). When the RN/TL reviewed Patient A ' s "Oops sheet", she had reason to believe the time documented by Patient A was not correct, so the RN/TL accessed Patient A ' s clinical record to view Patient A ' s timeline in the ED, time in and time discharged. The RN/TL was not familiar with the new computerized charting system used outside of her department, so when she accessed Patient A ' s clinical record, she navigated through different tabs to find Patient A ' s demographic information which contained the information she required."The FPO further stated, "The PHI disclosed included Patient A ' s name, date of birth (DOB), medical record number, age, sex, diagnosis, prescriptions from ED visit, arrival date and time to ED, ED triage assessment, ED screening assessment, ED notes and ED adult disposition assessment." A review of facility Policy and Procedure titled "Confidential Policy", effective date January 24, 2012 indicated:"The safeguarding of patient information from unauthorized, inappropriate and unlawful use and disclosure is required by law and is consistent with the values of the (facility name) ministry. Employees are required to follow all policies and procedures and (facility name) standards of conduct regarding use and disclosure of business and patient information."A review of facility Policy and Procedure titled "Patient Rights and Responsibilities", effective date October 24, 2012 indicated:"Patient Rights""12. Confidential treatment of all communications and records pertaining to your care and stay in the hospital."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights