Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CONTRA COSTA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 14, 2012. Also cited in 103 other reports.
Report ID: 3MGW11.04, California Department of Public Health
Reported Entity: CONTRA COSTA REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to protect the confidential medical information of 45 out of 100 patients (Patients 1, 6,8,10,14, 16, 18, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, and 57) reviewed when: 1. Patient 5 received a Medical ID (identification) Card pertaining to Patient 1;2. Patient 7 received an appointment reminder form pertaining to Patient 6; 3. Patient 9 received an x-ray requisition form pertaining to Patient 8;4. Patient 11 received a Medical ID (identification) Card pertaining to Patient 10;5. Patient 15 received a Medical ID (identification) Card pertaining to Patient 14.6. Patient 17 received admitting forms and ID wristband pertaining to Patient 16; 7. Patient 19 received a prescription slip pertaining to Patient 18; 8. A staff member e-mailed 38 patients' (Patients 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, and 57) PHI (Protected Health Information) to two persons outside the hospital system, a personal lawyer and a union representative.These failures placed the patients at risks for loss of dignity and privacy, identity theft and misuse of personal information. Findings:1. On 5/23/12, the PO (Privacy Officer) stated that on 12/30/11 staff gave Patient 5 ' s mother the medical ID (Identification) card belonging to Patient 1, after a clinic appointment. The PO explained that the error was discovered on 1/27/12 when Patient 5 ' s mother returned to the medical ID card belonging to Patient 1 to the clinic. The PO stated that the Medical ID Card included the Patient ' s name, date of birth, phone number, medical record number and primary care physician ' s name. Review on 5/23/11, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 1 showed an appointment on 12/30/11 at facility 646.Review on 5/23/11, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 5 showed an appointment on 12/30/11at facility 646.2. On 5/23/12, the PO (Privacy Officer) stated that on 1/12/12 staff gave Patient 7 an appointment slip embossed with Patient 6 ' s medical ID (Identification) card after a clinic appointment. The error was discovered on 2/8/12 when Patient 7 arrived for appointment instead of Patient 6. The PO explained that both patients were seen in the same clinic on 1/12/12. The PO further explained that the appointment slip typically has the patients first, middle and last name, medical record number, primary care provider ' s name and information about the future appointments. Review on 5/23/12, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 6 showed an appointment on 1/12/12 at facility 646.Review on 5/23/12, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 7 showed an appointment on 1/12/12 at facility 646.Review on 5/23/12, of the " Appointment slip " that Patient 7 showed clinic registration on 2/8/12 showed that it had Patient 6 ' s name, medical record number, primary care physician ' s name and four future appointments for patient 6 including one on 2/8/12.3. On 5/23/12, the PO (Privacy Officer) stated that on 2/7/12 staff gave Patient 9 a lab requisition form embossed with Patient 8 ' s medical ID (Identification) card after a clinic appointment. The PO explained that the error was discovered on 2/24/12 when Patient 9 called Patient Relations to complain about the incident and that Patient 9 refused to return the radiology requisition form to the hospital stating he would destroy it. The PO stated that the Medical ID Card included the Patient ' s name, date of birth, phone number, medical record number and primary care physician ' s name and the radiology requisition form included information about Patient 8 ' s radiologic procedure. Review on 5/23/12, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 8 showed an appointment on 2/7/12 at facility 646.Review on 5/23/12, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 9 showed an appointment on 2/7/12 at facility 646.4. Patient 11 received a Medical ID (identification) Card pertaining to Patient 10 On 5/23/12, the PO (Privacy Officer) stated that on 3/7/12 staff gave Patient 11 the medical ID (Identification) card belonging to Patient 10, after a clinic appointment. The PO explained that the error was discovered on 3/7/12immediately after the incident, when Patient 11 returned to the clinic and gave the Medical ID card to the registration clerk. The PO stated that the Medical ID Card included the Patient ' s name, date of birth, phone number, medical record number and primary care physician ' s name. Review on 5/23/11, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 10 showed an appointment on 3/7/12 at facility 646.Review on 5/23/11, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 11 showed an appointment on 3/7/12 at facility 646.5. On 5/23/12, the PO (Privacy Officer) stated that on 3/16/12 staff gave Patient 15 the medical ID (Identification) card belonging to Patient 14, after a clinic appointment. The PO explained that the error was discovered on 3/19/12 when Patient 15 came to the clinic lab and handed the registration clerk the medical ID card belonging to Patient 14. The PO stated that the Medical ID Card included the Patient ' s name, date of birth, phone number, medical record number and primary care physician ' s name. Review on 5/23/11, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 14 showed an appointment on 3/16/12 at facility 646.Review on 5/23/11, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 15 showed an appointment on 3/16/12 at facility 646.Review on 5/23/11, of the " Specimen Inquiry " dated 3/19/12 showed Patient 15 name on the inquiry and in the bottom left corner a photo copy in color of Patient 14 ' s Medical ID Card and a hand written note " Pt given wrong card. "6. On 5/23/12, the PO (Privacy Officer) stated that on 3/20/12 a registration clerk gave admitting papers and placed a medical ID (Identification) wristband onto Patient 17 ' s wrist that belonged to Patient 16. The PO explained that the error was discovered on 3/20/12 when Patient 16 asked at registration when it would be her turn.Review on 5/23/11, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 16 showed an appointment on 3/20/12 at facility 646.Review on 5/23/11, of the " MPI Visit Selection " (a list of clinic appointments) for Patient 17 showed an appointment on 3/20/12 at facility 646.On 5/23/12, the ACRM (ambulatory care registration manager) stated that RC-1 made the error of identification for Patient 17 and Patient 16 due to both patients speaking limited English and failed to follow the policy for " Patient Identification Process. "Review on 5/24/12 of facility policy "Patient Identification Process", dated 9/2011, showed that the policy instructed staff to protect and accurately identify each patient served, and that staff must reliably identify the individual as a person for whom the service or treatment is intended and must match the service or treatment to that individual and must secure their protected health information and medical record accuracy at all encounters. The policy instructed Registration Clerk staff that for patients presenting for services 18 years and over:1. Request to see a government issued photographic proof of identity, 2. Compare the identification presented with the patient information in the registration system and the appointment documentation.7. On 5/23/12, the PO (Privacy Officer) stated that on 3/21/12 staff gave Patient 19 prescription instructions embossed with Patient 18 ' s medical ID (Identification) card after a clinic appointment. The error was discovered on 3/21/12 when Patient 19 left the prescription intended for Patient 18 at the clinic registration desk on her way out saying " this is not for me. " 8. On 2/23/12, the PO (Privacy Officer) stated that on 1/12/12 and 1/13/12 staff e-mailed 38 patients protected health information to persons outside the hospital system. The PO explained that the staff member sent an e-mail complaining about a breach of confidentiality happening on the printer in the outpatient pharmacy to the Personnel Department, but that this staff member included an attachment of scanned copies of the patient information that was improperly printing out and also sent the e-mail and attachments to her lawyer and union representative, because Pharmacist-1 had been having ongoing personnel issues. The PO explained that this was reported to him on 1/13/12 by the Personnel Department. Review on 2/24/11, of the e-mail attachments showed six pages of patient information that included Patient 56's appointment reminder, name, medical record number, and two future appointments at two different clinics; a " Minor Procedure Clinic Schedule " dated 1/13/12 for 35 patients (Patients 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, and 55) with the patients' names, medical record numbers, time of appointment, and procedures to be done; an an IUD (intra uterine device for birth control) prescription with Patient 57's name, date of birth, telephone number, address, the prescription, and the physician's name address, phone numbers and NPI Number (National Provider Identification Number).On 5/24/12, Pharmacist-1 stated that on 1/12/12 and 1/13/12 she did email the IT (information technology) network Administrator complaining about the IT issues with the printer in the outpatient pharmacy and that she attached the scanned copies of the patient information that had been printing erroneously, because the IT network Administrator had instructed her to do so. Pharmacist 1 said that she also copied the e-mail to be delivered to her supervisor, her lawyer and her union representative. Pharmacist-1 stated she had sent the copies to her lawyer and union representative because she felt she was being set up to get fired. Pharmacist-1 further stated she was unsure if she had ever received training regarding how and who to report a breach of confidentiality.The above findings did not reflect the hospital's policy. Review on 5/23/12 of facility policy "Safeguarding Protected Health Information", dated 4/14/2003 and revised 7/1/2010, showed that the policy instructed staff that " Workforce members must take precautions to prevent the unauthorized access, use, or disclosure of health system identification card itself, any document embossed with this information, or any document with this information written on any part of it. " The policy further instructed staff that they " must be very careful to give the correct health system identification cards and paperwork to the proper patient. "
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights