Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Scripps Mercy Hospital
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 8, 2013. Also cited in 72 other reports.
Report ID: 6KLX11, California Department of Public Health
Reported Entity: SCRIPPS MERCY HOSPITAL
Issue:
Based on interview, document and record review the hospital failed to ensure that one patient's (Patient A) protected health information (PHI) was kept confidential and not disclosed to another health care worker without Patient A's prior authorization.Findings:An onsite investigation of an entity reported privacy breach was initiated on 8/8/13 at 3:00 P.M. An interview was conducted with the hospital's Clinical Risk Specialist (CRS). The CRS stated that on 7/6/13, Patient a was admitted to the hospital's Emergency Department (ED) after a self hanging suicide attempt. Patient A was treated in the ED and transferred to a psychiatric hospital. Upon her discharge from the Psychiatric Hospital, on 7/17/12, Patient A returned to wok as an Operating Room (OR) Technician at another local hospital. Patient A's co-worker, an OR Registered Nurse (RN 1), knew that patient A had been in the hospital and the reason for her hospitalization. The co-worker stated that she was informed by a friend. On 10/9/13 at 2:45 P.M., an interview was conducted with the hospital's Director of Risk Management (DRM). The DRM stated that the hospital had been informed that the individual that disclosed Patient A's PHI, by texting a message to RN 1 regarding Patient A's attempted suicide, was an attending physician (MD 1) at their hospital.A review of the hospital's policy and procedure, entitled "Health Information, Access, Use and Disclosure" and dated 2/12, indicated that "[Name of hospital] shall access use and disclose protected health information with authorization of patient/legal representatives and in accordance with mandate state and federal disclosure requirements as outlined in this policy and related policies...All personnel providing services within the [name of hospital] organization to include but not limited to employees, volunteers, physicians, Allied Health Professionals, students and contracted and affiliated business associates are responsible for: 1. Awareness of this policy and it's requirements for protecting patient health information from unauthorized access, use or disclosure."An interview was conducted with the Senior Director of Medical Affairs (SDMA) on 12/10/13 at 3:00 P.M. The SDMA stated that during rounds one day MD 1 heard about Patient A's attempted suicide and treatment in the hospital's ED. MD 1 proceeded to send a text to RN 1 with this information because he knew that they were friends. The SDMA further explained that, after investigating the incident, MD 1 was sent a formal letter of reprimand for not following hospital policy and procedure and for the disclosure of Patient A's PHI without her prior authorization.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights