Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SUTTER SANTA ROSA REGIONAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 4, 2013. Also cited in 15 other reports.
Report ID: ILPS11, California Department of Public Health
Reported Entity: SUTTER SANTA ROSA REGIONAL HOSPITAL
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of two patients' (Patient 1 and Patient 2) protected health information, when some of Patient 1's and Patient 2's medical information was faxed to the wrong parties. This failure allowed the unlawful or unauthorized access to protected health information.Findings:CA00369828 The California Department of Public Health was notified on 9/16/13 that a, "Breach of Protected Health Information (PHI)", occurred on 9/10/13.During an interview on 10/4/13 at 11:45 a.m., Administrative Staff A stated that she received notification from Management Staff B, on 9/10/13, that Unlicensed Staff C sent a faxed copy of Patient 1's PHI in error to a Private Business. Management Staff B had been notified by Licensed Staff D, a co-worker of Unlicensed Staff C, when the Private Business called the facility to notify them that a fax had been received in error, on 9/10/13 Patient 1's discharge instructions included, her name, room number, age, date of birth, gender, medical record number, account number, discharge date, diagnoses, physicians names, medications, diet, wound care, weekly laboratory orders, follow up care appointments, and Physician's Drug Enforcement Agency number.Administrative Staff A also stated that it was a human error, on the part of Unlicensed Staff C, in that she misdialed the fax number for Patient 1's Physician, xxx-xxx-xx07 and dialed the fax number for the Private Business, xxx-xxx-xx01, instead. CA00369831The California Department of Public Health was notified on 9/16/13 that a, "Breach of Protected Health Information (PHI)", occurred on 9/7/13.During an interview on 10/4/13 at 11:45 a.m., Administrative Staff A stated that she received notification from Management Staff F, on 9/10/13, that Unlicensed Staff E sent a faxed copy of Patient 1's PHI in error to the Wrong Health Clinic. Management Staff F had been notified by the Wrong Health Clinic, when they faxed her that they had received PHI for Patient 2 in error, on 9/10/13 Patient 2's discharge summary included, her name, date of birth, medical record number, account number, admission/discharge date, diagnoses, hospital course, medications, diet, activity, other physician's names to receive copies and physicians to follow up with.Administrative Staff A also stated that Unlicensed Staff F misinterpreted Patient 2's Physician's dictated request to send a copy to Patient 2's Health Clinic as being a request to send it to the Wrong Health Clinic.A review of the facility Policy and Procedure for, "FACSIMILE (FAX) TRANSMISSION OF MEDICAL RECORDS", (7/12), reveals the following: "I. POLICY The sensitive information contained in health records may be transmitted via facsimile (fax) when delivery through the regular mail will not meet the requestors' or senders' needs, such as for patient care...II. PROCEDURE Faxing Protected Health Information (PHI):..6. Care should be taken to assure the fax transmission is sent to the appropriate destination. Destination numbers should be pre-programmed into the fax machine, if possible, to eliminate errors in transmission from misdialing. The fax number on the screen of the fax machine should be checked to be sure it is correct prior to pressing the "send" button".A review of the facility Policy and Procedure for, "Workforce Confidentiality/Privacy and Appropriate Use of Facility Property", (no date), reveals the following: "C. Access and Use of Patient and Business Information...3. Workforce members are expected to adhere to the following guidelines in order to maintain security and confidentiality: a. Ensure recipients of confidential information are authorized to receive it. Verify identities of recipients before releasing any information".A review of the facility Policy and Procedure for, "Confidentiality of Patient Care Information", (10/10), reveals the following: "I. POLICY Persons receiving health care services have the right to expect that the confidentiality of individually identifiable medical information will be reasonably preserved. Information regarding the hospital's patients' medical or personal status will not be released or disclosed inappropriately...III. APPLICATION OF POLICY A. All patient-related information is confidential. It will be shared only with those persons that have a legal right (i.e. the patient or the patient's surrogate) or a legitimate work-related need to know".
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280