Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SONOMA VALLEY HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on September 21, 2011. Also cited in 10 other reports.
Report ID: S2GM11, California Department of Public Health
Reported Entity: SONOMA VALLEY HOSPITAL
Issue:
Based on staff interview and record review, the facility [violated Health and Safety Code section 1280.15 when it] failed to prevent disclosure of medical information for a facility staff member (Staff A/Patient 1) when her medical information was discussed over the unsecured Internet, to all the facility staff, for a local fundraiser. This did reveal Staff A/Patient 1's medical information, contrary to policy and procedure. This failure did cause Staff A/Patient 1 emotional distress. Findings:The California Department of Public Health was notified on 3/24/11 that a, "Breach of Protected Health Information (PHI)", occurred on 3/22/11.Review, on 9/21/11 at 3:30 p.m., of facility documentation for the event, revealed that on 3/22/11 at 8:55 a.m., Staff B sent an unsecured e-mail to all the facility staff (522 mailboxes) indicating that she would be honoring Staff A/Patient 1, who was undergoing chemotherapy for leukemia, for a local event in August, 2011 and Staff B encouraged everyone at the facility to join up. Staff A/Patient 1 had not given permission for her illness to be discussed.During an interview with Administrative Staff C on 9/21/11 at 3 p.m., she stated that Staff B had no idea that it was a breach as she thought that it was only broadcast to facility staff and for a good cause.During an interview with Administrative Staff C, on 9/21/11 at 3:45 p.m., she stated that Staff A/Patient 1 was upset about the breach of medical information.During an interview with Staff A/Patient 1 on 9/4/12 at 11:20 a.m., she stated that, "I was upset when the breach occurred as I had not told many people and I was worried my 12 year old son would hear about it second hand. We had not told him". Review on 9/21/11 of the facility Policy and Procedure for Confidentiality and Security reveals the following: "When sending or receiving confidential medical information, it is the duty of the facility to protect the confidentiality, and integrity of information as required by law, professional ethics, and accreditation requirements."Concurrent review of the facility HIPAA, Privacy Training Module (dated 3/11), administered to newly hired employees during their orientation to the facility, reveals the following, "The facility outsources the email services. Email can be circulated, forwarded, and stored in numerous paper and electronic files; email can be intercepted, altered, forwarded or used without authorization or detection; email senders can easily misaddress an email; backup copies of email may exist even after the sender deletes the mail: Confidentiality of Internet or Intranet communications cannot be guaranteed;...PHI cannot be transmitted to any external email address unless it has been password protected, and the process used is approved by the IS department. Facility Intranet e-mail should be stripped of PHI data".The facility violated the Health and Safety Code 128015(a) when a staff member disclosed and discussed Staff A's/Patient 1's medical condition over an unsecured internet for a fund raiser. This failure was not in keeping with the facility's policy and procedure and caused Staff A/Patient 1 emotional distress and Staff A/Patient 1 worried that her young son would find out about her medical condition second hand.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280