SHARP CHULA VISTA MEDICAL CENTER

Report ID: 577T11.01, California Department of Public Health

Reported Entity: SHARP CHULA VISTA MEDICAL CENTER

Issue:

Based on interview and document review the hospital failed to ensure that Patient 1's personal and protected health information (PHI) was kept confidential when a health care worker (HCW) accessed Patient 1's PHI without the direct need to know for medical diagnosis, or treatment. As a result of this failure, HCW had access to Patient 1's personal information. Findings:An on site investigation of an entity reported privacy breach was initiated on 1/3/14. It was reported to the California Department of Public Health that, on 11/19/13 an unauthorized and intentional disclosure of Patient 1's PHI was accessed by a hospital health care worker without the direct need to know.On 1/3/14 at 2:40 P.M., an interview was conducted with the Manager of Patient Relations/Risk Management (MRM). The MRM stated that random audits are done to check for employees that access PHI without the need to know. The audit log done on 11/19/13 revealed that HCW had accessed his spouses (Patient 1's) medical record in multiple different areas of the hospitals electronic medical record (EMR) on 10/8/13 starting at 9:45 A.M. thru 9:51 A.M. On 4/24/14 at 3:06 P.M., an interview was conducted with the Radiology Manager (RM). RM stated when she got the audit log she spoke to HCW. HCW told RM that he accessed Patient 1's medical record because Patient 1 had an ultrasound procedure and that he was training another ultrasound technician. RM stated that after further investigation of the date of service for Patient 1 and the audit log that showed the date the record was accessed, were two different dates. RM stated that she re-interviewed HCW with that information and that HCW had no further response. A review of HCW's employee file was conducted with the Vice President/Clinical Support (VPCS). HCW's job description was reviewed and indicated "Quality assurance - Follows HIPAA (Health Insurance Portability and Accountability Act) guidelines for PHI as appropriate," HCW signed and dated 11/14/13, which indicated he had read and understood the job description. HWC had completed the hospital's annual required HIPAA training on 7/13/13. On 2/3/15 at 10:34 A.M., an interview was conducted with HWC. HWC stated that he was training a student and that the student had performed the ultrasound on Patient 1. HWC stated that he accessed Patient 1's medical record to check labs. HWC denied that he had accessed Patient 1's medical record on a different day then when the ultrasound had been performed. The hospital's policy and procedure titled "Confidentiality of information," dated 8/12, indicated "I. Unauthorized Use or Viewing of Sensitive Information. Viewing or obtaining sensitive information not needed for an assigned or professionally appropriate task... constitutes a violation of confidentiality. Individuals may not: 1. Allow or participate in access, use or disclosure of sensitive information not needed for their job. This includes, but is not limited to, information belonging to other employees, co-workers, family or friends..." This policy was not followed when HCW accessed his spouses (Patient 1) medical record without the direct need to know for medical diagnosis, or treatment. This was also in violation of the patient's right to confidentiality of all communications and record pertaining to health care received at the hospital.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Related Reports:

1 other violation reported on the same date. Note that other citations may be about the same event: FJDU11.01