Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Scripps Mercy Hospital
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 18, 2012. Also cited in 72 other reports.
Report ID: 0FC811, California Department of Public Health
Reported Entity: SCRIPPS MERCY HOSPITAL
Issue:
Based on interview and document review, the facility failed to ensure that its policy and procedure pertaining to confidential and protected healthcare information (PHI), was implemented by Licensed Nurse (LN) 1. Team assignment forms containing PHI of 26 patients was accessible to LN 1's family member.Findings:An investigation and interview was initiated on 1/18/12 at 2:30 P.M., with the Director of Risk Management (DRM). Eight team assignment forms with the hospital's logo and name were reviewed with the DRM. The forms held protected and confidential healthcare information related to 26 patients. The information included the first and last names for 23 patients, along with medical record numbers, admission dates (for the months of 2/07, 7/07, 8/07, 1/08, 2/08, 3/08, 4/08), room assignments, allergies, dates of birth, gender, age, physician, diagnoses, vital signs, lab results, treatments and procedures. Protected and confidential healthcare information for 3 other patients included only the last name of the patients, no medical record numbers or dates of birth, but diagnoses, procedures, vital signs and lab values were documented.The DRM confirmed that the team assignment sheets were from that facility. The DRM verified and confirmed that the patients were hospitalized in the facility on the dates indicated on the assignment sheets. The DRM acknowledged that LN 1 was employed by the facility from March 2007 through February 2009. The DRM acknowledged that LN 1 had failed to protect patient confidentiality when private and protected healthcare information was made available to an unauthorized individual, LN 1's family member.On 2/9/12 the facility's "Confidentiality of Information" policy and procedure, dated 11/10, was reviewed. Per the policy, "confidential information collected and/or generated within (name of facility) shall be maintained in a manner designed to restrict access to those individuals with a legitimate need to know the information. Violations of confidentiality included sharing of information outside of (name of facility) where there is a reasonable basis to believe that the person could still be identified from that information..."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights