Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Scripps Mercy Hospital
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 9, 2013. Also cited in 72 other reports.
Report ID: 1PQT11.02, California Department of Public Health
Reported Entity: SCRIPPS MERCY HOSPITAL
Issue:
Based on interview and record review, the hospital failed to safeguard protected health information (PHI- is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual) from unauthorized person(s) in accordance with their policies and procedures, for 1 of 1 sampled patient (Patient 1). Patient 1's sleep study report was faxed to an auto glass replacement and repair company which was not the intended recipient.Findings:On 12/28/12 at 4:28 P.M., the hospital reported to the Department that Patient 1's sleep study report was faxed to an auto glass replacement and repair company and not the intended recipient. Per the hospital, the physician's office provided them with an erroneous fax number.A review of Patient 1's medical record was conducted on 1/9/13 at 3:25 P.M. Patient 1 was admitted to the hospital on 12/4/12, per the facesheet. According to Patient 1's Polysomnography Results and Interpretation report dated 12/4/12, contained the following confidential patient information: patient's name, medical record number, date of birth, what type of data that was collected during the study, the results/impression, recommendation and diagnosis. A telephone interview with the Access Representative II (AR2) was conducted on 1/10/13 at 9:15 A.M. AR 2 stated that a patient will not be scheduled for a sleep study until the hospital's Sleep Disorders Center Order Form was completed. She stated that Patient 1's Order Form was completed and contained all the information that they needed to fax and mail the sleep study report to the intended recipient (authorized person/entity). She stated that Patient 1's sleep study report was faxed on 12/19/12 to the number listed on the Order Form dated 9/20/12. She stated that the fax number was clear but was not aware that the fax number written on the Patient 1's Order Form was wrong.A review of the hospital's policy and procedure entitled "Health Information, Access, Use and Disclosures," effective date of 2/12, was conducted. The policy indicated that the hospital shall access use and disclose protected health information with authorization of patient/legal representatives and in accordance with mandated state and federal disclosure requirements. Per the same policy, it indicated that "All personnel providing services within the (hospital name) organization to include but not limited to employees, volunteers, physicians, Allied Health Professionals, students and contracted and affiliated business associates are responsible for: 1. Awareness of this policy and it's requirements for protecting patient health information from unauthorized access, use or disclosure." A joint telephone interview with the Patient Relations Coordinator (PRC) and the Director of Risk Management (DRM) was conducted on 1/10/13 at 2:00 P.M. The DRM stated that the hospital's practice of ensuring that Sleep Disorders Center Order Form was completed before admission, contained the most current information to include mailing address and fax number. However, she acknowledged that Patient 1's sleep study report was faxed to an auto glass replacement and repair company (not the intended recipient) because the fax number that was listed by the physician's office, on the Order Form, was wrong.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights