Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 20, 2015. Also cited in 55 other reports.
Report ID: 0UKT11, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) when a registered nurse (Employee 1) missed finding consent forms left behind in Patient B's room after transferring Patient B from the Intensive Care Unit (ICU) to the Telemetry Unit. Patient A was transferred from the Telemetry Unit room into the ICU. Unsecured consent forms belonging to Patient B were left behind and were picked up from Room 17 when Patient A was discharged from the facility. This failure to secure Patient B's belongings resulted in a Health Insurance Portability and Accountability Act (HIPAA) breach of Patient B's PHI to Patient A.Findings:During an interview with the Risk Management/HIPAA Compliance Officer on April 20, 2015, when asked about what happened, she stated, "We received a call from the daughter of Patient A . . . they discovered some things in her [Patient A] folder e.g. three copies of consents . . . it was believed the documents were left by the patient [Patient B] in a drawer in the room."During an interview on May 4, 2015 at 2:00 PM, when Employee 1 was asked where the documents where in the patients [Patient A] room, she stated, "I don't remember." When asked what she would have done differently to prevent a future reoccurrence of a HIPAA breach, she stated, "Take the time to to double check all cabinets to make sure all belongings have been removed including hard to see areas." When asked about being Patient B's nurse, she stated, "I remember the event but do not remember the patient name."During an interview on May 4, 2015 at 2:45 PM, with the Telemetry manager, when asked about systems, process or procedures to prevent a HIPAA breach, she stated, ". . .We [Telemetry unit] use orange folders to make sure patients have all of their documents."A record review of the facility's documents, reflected Patient A was transferred from ICU North (Room 17) to Telemetry (Room 247). Patient B was transferred from Telemetry (Room 247) to ICU North (Room 17). A record review of three (3) forms titled, Patient Consent, including two forms dated January 20, 2015 and one form dated January 21, 2015, indicated the following information was breached: the name of the physician, the name and type of procedure, the type of anesthesia, the date and time of consent, and Patient B's name, date of birth, medical record number, date of admission and admitting physician.A review of the facility policy titled, Confidentiality Policy, dated January 24, 2012, indicated, "The employee will follow all St Joseph Health System (SJHS) Ministry policies and procedures and the SJHS Standards of Conduct, and will take all precautions to prevent any intentional or unintentional use or disclosure of patient health information without the signed authorization of the patient."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights