Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CONTRA COSTA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 14, 2013. Also cited in 103 other reports.
Report ID: ZU6711.01, California Department of Public Health
Reported Entity: CONTRA COSTA REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of a patient's (Patient 1) protected health information, when Patient 1's discharge instructions were discussed, in a high risk area, where they could be overheard. This failure allowed the unlawful or unauthorized access of protected health information to passers-by.Findings:The California Department of Public Health was notified on 11/9/12 that a, "Breach of Protected Health Information (PHI)", occurred on 10/1/12.During an interview on 8/30/13 at 11 a.m., Administrative Staff A stated that she received information, on 11/8/12, from Unlicensed Staff B that Patient 1's discharge PHI was discussed, by Licensed Staff C, in the entry of the Psychiatric Emergency Department, on 10/1/12.Administrative Staff A also stated that Patient 1's Mother, who had been present at the time of the discussion, 10/1/12, did not complain to Unlicensed Staff B until 11/8/12. Administrative Staff A further stated that Licensed Staff D communicated to her that, "Discussion of patient information(including aftercare and follow up instructions with family members and/or support people) should be conducted in a private area outside of audio purview of other patients, family members, and EMTs. You should seek a private area outside of the sally port, use the visitation room if not occupied, or use the interview rooms if not occupied. Disclosing patient information in front of other patients, family members, support people and EMTs without the expressed permission of patient and/or guardian constitutes a privacy violation.Review of the facility Policy and Procedure for "Confidentiality of Patient/Client Information" (dated 6/11) reveals the following: "POLICY...Caution must be exercised to protect the confidentiality of all patients/clients, with particular attention given to Facility Health Plan Members who may be...patients with...mental health conditions".Review of the facility Policy and Procedure for "Safeguarding Protected Health Information" (dated 8/13) reveals the following: "PURPOSE To provide guidance and establish criteria fro safeguarding protected health information (PHI) in a manner that minimizes the risk of unauthorized access, use, or disclosure...C. Safeguarding Oral PHI 1. Work force members must take reasonable steps (e.g., lowering voices, moving to a more protected area, etc.) to protect the privacy of all verbal exchanges or discussions of confidential information, regardless of where the discussion occurs, and should be aware of risk levels. a. Low risk: interview rooms, enclosed offices, and conference rooms. b. Medium risk: employee only areas, telephone, and individual cubicles. c. High risk: public areas, reception areas, and shared cubicles housing multiple staff where clients are routinely present".
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280