Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SANTA CLARA VALLEY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 25, 2014. Also cited in 90 other reports.
Report ID: URRF11.01, California Department of Public Health
Reported Entity: SANTA CLARA VALLEY MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to prevent the unauthorized disclosure of patient health information (PHI) for one of three sampled patients (1), when a hospital employee accessed Patient 1's electronic medical records without a job related need. The failure resulted in the disclosure of PHI for Patient 1 to an unauthorized individual. Findings:The California Department of Public Health received a faxed report on 4/24/13, which indicated, on 4/17/13 Patient 1 had telephoned the hospital stating a staff member had released her information to her family member. An internal investigation confirmed a health services representative (HSR 1) had accessed Patient 1's electronic medical records on 2/1/13. HSR 1 had not provided care to Patients 1 and did not have a business related reason to access the patient's electronic medical records.During an interview on 7/25/14 at 11:05 a.m., the compliance and privacy officer (CPO) stated an internal investigation audit indicated HSR 1 accessed Patient 1's electronic medical record on 2/1/13, and according to HSR 1's supervisor, she did not have a job related reason to access Patient 1's medical records. CPO stated Patient 1 had threatened physical harm to HSR 1, so HSR 1 had looked to see if Patient 1 was still a patient in the hospital. CPO stated an internal audit indicated HSR 1 accessed Patient 1's clinical medical records, and Patient 1's name, date of birth, medical record number, location in the hospital, and probably social security number had been disclosed. During an interview on 7/25/14 at 12:30 p.m., HSR 1 stated Patient 1 had threatened her over the telephone and had come to her home threatening physical injury. HSR 1 accessed Patient 1's electronic medical record to obtain Patient 1's home address to give to police so she could fill out a report. HSR 1 further stated, accessing Patient 1's electronic medical record was not job related and she was not following hospital policy.A review of a copy of the computer audit for Patients 1 indicated HSR 1 had accessed Patient 1's electronic medical records once on 2/1/13. A review of a copy of a letter sent from the hospital to Patient 1 on 4/24/13 indicated the hospital was conducting an investigation into Patient 1's reported incident and had confirmed disclosure of Patient 1's medical information.A review of a copy of the hospital's 12/27/13 "Workforce General Obligations Regarding Uses and Disclosures of Protected Health Information" policy indicated patients have the right to request, access, and copy and inspect much of the PHI the Hospital creates and maintains on their behalf. The policy did not address the need for written authorization to access a patient's electronic medical records.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280