Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SHARP CORONADO HOSPITAL AND HLTHCR CTR
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 18, 2012. Also cited in 18 other reports.
Report ID: 9J9Q11.02, California Department of Public Health
Reported Entity: SHARP CORONADO HOSPITAL AND HLTHCR CTR
Issue:
Based on interview and record review, the hospital failed to safeguard protected health information (PHI) from unauthorized person(s) in accordance with their policies and procedures, for 1 of 1 sampled patients (Patient 1). A case manager inadvertently faxed Patient 1's confidential health information to an unintended recipient. Findings:On 10/12/12 at 5:42 P.M., the hospital reported to the Department that an unauthorized disclosure of patient health information occurred when Patient 1's facesheet, cardiologist consultation note and utilization review medical necessity notes, were faxed to the wrong recipient. A review of Patient 1's medical record was conducted on 10/18/12 at 2:15 P.M. Patient 1 was admitted to the hospital on 10/1/12, with diagnoses that included chest pain, per the facesheet. According to Patient 1's Consultation Note by cardiology dated 10/2/12, the following confidential patient/health information was disclosed: patient's name, medical record number, date of birth, admit number, physician name, reason for consult, history of present illness, past medical history, past surgical history, allergies, review of systems, physical exam findings, laboratory results, impression and recommendations. Patient 1's Utilization Review Medical Necessity Notes dated 10/5/12, contained the following confidential patient/health information: patient's name, admission date, date of birth, marital status, address, phone number, religion, age, emergency contact information, physician names, insurance information, admitting diagnosis, clinical review which revealed current and past medical histories, vital signs, EKG (electrocardiogram) results, medications and patient's disposition.An interview and joint record/document review with case manager (CM 1) was conducted on 10/18/12 at 3:12 P.M. CM 1 stated that she faxed Patient 1's facesheet, cardiologist consultation notes and utilization review medical necessity notes to a health management company which was not the intended recipient. She stated that she did not verify the accuracy of the fax number prior to sending the fax. She stated that the hospital's system was a preprogrammed computer system that sends these faxes to their intended recipients.A review of the hospital's policy entitled "Confidentiality of Information," effective date of 8/12, was conducted on 10/18/12. The policy's purpose indicated that the policy was established to meet the hospital's legal and ethical responsibility to protect the confidentiality of all Sensitive information (financial, medical, demographic). Per the same policy, under "Safeguarding of Information," it indicated that, "Sensitive information collected and/or generated within the [hospital name] shall be maintained in such a manner that access to it is restricted to those with a need to know. Information will be restricted to those with a legal right under authorization, those participating in treatment, payment, healthcare operations and as mandated by state and federal laws in accordance with [hospital name's] policies."A review of the hospital's policy entitled "Data Encryption and Transmission Security," effective date of 5/12, was conducted on 10/18/12. The policy under facsimile, indicated that "In choosing to use facsimile or e-mail for communication of PHI, take into account the following:d. See hospital intranet for additional facsimile guidance (a website is provided).According to the hospital's website entitled "Facsimile of Protected Health Information," it listed fax safeguards which included to verify the accuracy of the fax number with the intended recipient before sending the the fax.An interview and joint document review with the case management manager (CMM) was conducted on 10/18/12 at 3:40 P.M. The CMM stated that her staff case managers did not verify the accuracy of fax numbers prior to sending faxes. She stated that the hospital had a preprogrammed computer system that contained a database of fax numbers for most if not all their contacts. She stated that the case managers also worked closely with the hospital's business office staff when obtaining fax numbers in order to fax patient documents and utilization reviews requested from them.An interview with the Director of Quality (DOQ) was conducted on 10/18/12 at 3:55 P.M. The DOQ acknowledged that an unauthorized disclosure occurred when Patient 1's facesheet, cardiology consult notes and utilization review medical necessity notes, were faxed to a health management company that was not the intended recipient, by CM 1. She further acknowledged that fax numbers needed to be verified from the intended recipient prior to sending confidential patient/health information via fax.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights