Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 17, 2014. Also cited in 55 other reports.
Report ID: 2PJ411.01, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patient A, when Employee 2 issued a prescription to Patient B with Patient A's pre-printed patient label attached to it which resulted in an unauthorized disclosure of Patient A's PHI.On December 22, 2014 at 11:40 AM, a phone interview was conducted with Employee 1 and the Risk Manager (RM) regarding an entity reported incident of a breach of PHI for Patient A, detected on April 25, 2014. During an interview with Employee 1, she stated that Patient B was seen in the Emergency Room (ER) fast track for back pain on April 25, 2014 at 12:00 am. Employee 1 further stated that she wrote a prescription for pain which was stapled to Patient B's discharge instructions. Employee 1 stated when Employee 2 delivered the discharge packet and prescription to Patient B, he was not happy with the medication ordered and requested something stronger. Employee 2 then brought the prescription to Employee 1 informing her of Patient B's request for stronger medication. Employee 1 stated she destroyed the original prescription and wrote a new one, then gave the prescription to Employee 2 to label prior to issuing it to Patient B. Employee 1 stated that Patient A and Patient B's charts were on Employee 2's computer work station when Employee 2 selected a label from Patient A's chart rather than Patient B's chart and labeled Patient B's prescription. Employee 1 stated it was her personal responsibility to ensure proper labeling of prescriptions, but because she did not have the chart at that time, she asked Employee 2 to do it for her. Employee 1 stated that a Pharmacist later called the ER and spoke with her to verify that the prescription was for Patient B and not for Patient A, which was confirmed. During a concurrent interview with the RM and Employee 1, the RM stated that Patient A was notified of the breach of PHI by certified mail.During record review, a copy of the "Summary of Events" was reviewed describing the hospital's investigation.A copy of the document breached was reviewed and included Patient A's name, DOB, age and medical record number.A copy of the letter notifying Patient A of the breach was reviewed and was dated May 1, 2014.Employee 1's hospital educational documents which included; "MediTech Confidentiality Form" signed and dated 2/04/07, "New Physician Orientation Verification", and "Compliance Personal Training Summary" were reviewed which included HIPAA training.Employee 2's educational documents were reviewed and included; "Confidentiality Agreement" dated 11/2/10, "General Orientation Verification" dated 11/08/10, and Educational Transcripts for 2014, which included HIPAA training.A review of the policy and procedure titled "Confidentiality Policy" dated 1/22/14 states, "The employee will follow all (Facility 1's) policies and procedures and the Standards of Conduct, and will take all precautions to prevent any intentional or unintentional use or disclosure of patient health information without the signed authorization of the patient".The facility failed to ensure the correct label was placed on the correct prescription resulting in an unauthorized release of Patient A's PHI to Patient B.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights