Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SAN ANTONIO REGIONAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 12, 2014. Also cited in 35 other reports.
Report ID: V31Q11.01, California Department of Public Health
Reported Entity: SAN ANTONIO REGIONAL HOSPITAL
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of two patients (Patients A and B's) protected health information (PHI), when a Phlebotomist (one who draws blood for analysis) (Employee 1) took pictures of patient labels that contained Patient A and Patient B's PHI on her personal mobile device. This failure resulted in a breach of PHI for Patients A and B.Finding: On August 14, 2014 at 9:30 AM, a phone interview was conducted with the Director of Nursing Operations (DNO) regarding an entity reported incident of a breach of PHI for Patient A and Patient B, detected on April 29, 2013. Employee 1 was observed taking pictures of labels containing patient information on her personal mobile device. The DNO stated, "A new scanning program was instituted. The employee was taking pictures of the labels to scan to the lab at a later time". The DNO also stated, "Personal mobile devices are not permitted in the work area; the employee was directed to delete the photos". During a review of the documentation that had been photographed, the documentation included Patient A's name, date of birth, medical record number and account number. The documentation also included Patient B's name, date of birth, medical record number and account number.A review of the facility policy and procedure titled, "Confidentiality, Protecting Confidential Information," dated July, 2011, indicated, "Confidential information must be protected from unauthorized uses; disclosures...must be protected to prevent financial fraud and identity theft."The failure of Employee 1 to ensure the confidential treatment of Patient A and Patient B's PHI resulted in a breach of PHI for Patients A and B.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights