Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST BERNARDINE MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 19, 2014. Also cited in 41 other reports.
Report ID: 8IRB11.01, California Department of Public Health
Reported Entity: ST BERNARDINE MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for 41 patients, when a census list was lost by Volunteer 1 while making rounds to provide Holy Communion for the patients. This placed the 41 patients at risk for identity theft.Findings:On June 24, 2014 at 3:15 PM , a phone interview was conducted with the Facility Privacy Officer (FPO) to investigate an entity reported incident of a breach of patient's Protected Health information (PHI) for 41 patients.During the interview, the FPO described the event as follows: "On February 13, 2013, a volunteer Eucharistic Minister (Volunteer 1), who administered Holy Communion to patients, lost a list containing the following PHI for these patients: name, room number, sex, age, religious preference, admit date and date of sacrament for the sick if administered), while making rounds throughout the hospital to administer communion."During a review on June 24, 2014, of the facility's investigative report, the report indicated Volunteer 1 admitted to losing the census containing 41 patients PHI. A copy of the letter from [Volunteer 1's church] that had been sent to the FPO regarding Volunteer 1, outlined the protocol the church required to safeguard patient information, and in the letter the church verified Volunteer 1 had lost the list of 41 patients' names. During a review of the facility policy and procedure titled, "Privacy Principles," dated January 17, 2012, the policy indicated,The privacy principles as described herein require that all Protected Health Information (PHI), as defined in the rules and regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), be maintained and secured in a manner required by the Act and other applicable federal and state laws." A review of the facility's, "Annual Education Update Requirements 2014," indicated, "All employees, business associates, contractors, and volunteers are responsible for taking an active role to protect patient and confidential information."The failure of Volunteer 1 to safeguard the list containing the PHI for 41 patients while making rounds throughout the hospital, placed all 41 patients at risk for identity theft.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights