Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 17, 2014. Also cited in 55 other reports.
Report ID: OE8711.01, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI), when Employee 1 included Patient A's prescription with Patient B's discharge packet on June 29, 2014, which resulted in an unauthorized disclosure of Patient A's PHI.Findings:On December 15, 2014 at 9:45 AM, a phone interview was conducted with Employee 1 and the Risk Manager (RM), and a Union Representative for Employee 1 regarding an entity reported incident of a breach of PHI for Patient A, detected on June 29, 2014. During the interview, Employee 1 stated that they had a new computer system which printed discharge information and prescriptions. She stated that two printers were used, one for discharge paperwork and one for prescriptions. She also stated that the prescriptions are always printed on blue paper and only providers have access to print prescriptions. During further interview with Employee 1, she stated that on June 29, 2014, a nurse (Employee 2), from the previous shift, prepared the discharge packet for Patient B. She further stated that she did review the paperwork prior to giving it the Patient B, but did not notice that Patient A's prescription was stuck to the back of Patient B's prescription.Employee 1 stated this was discovered when Patient B called the unit after discharge and reported the finding to her on June 29, 2014 at 6:00 PM. She also stated that Patient B returned Patient A's prescription to the unit on June, 29, 2014 before her shift was over. Employee 1 stated during the interview that in addition to the forms sticking together, she often feels rushed on the unit with several admits and discharges which also contributed to the breach. During a concurrent interview with Employee 1 and the RM, the RM stated Patient A was notified of the breach by letter on July 3, 2014. During a review of the documentation, a copy of the prescription was reviewed. The PHI disclosed included Patient A's name, address, age, DOB, and medications prescribed.A copy of the certified letter sent to Patient A was present and dated July 3, 2014.Employee 1's educational documents were reviewed including; Confidentiality Agreement dated 2/11/08, General Orientation Verification dated 2/11/08 and Educational Transcripts dated 5/24/14 which included HIPAA training.A review of the facility's policy and procedure titled "Confidentiality Policy" dated 1/22/14 reflects, "The employee will follow all (Facility 1's) policies and procedures and the Standards of Conduct, and will take all precautions to prevent any intentional or unintentional use or disclosure of patient health information without the signed authorization of the patient".The facility failed to ensure the correct prescription was sent home in the correct patient's discharge packet resulting in an unauthorized release of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights