Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Mercy Medical Center
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 23, 2013. Also cited in 34 other reports.
Report ID: L25E11, California Department of Public Health
Reported Entity: MERCY MEDICAL CENTER
Issue:
Based on staff interview, clinical record review, and administrative document review, the facility failed to ensure confidential treatment of protected health information (PHI) when: 1) Patient 2's name, account number, medical record number, and location in hospital were printed on discharge instructions for Patient 1. (CA00363478)2) Patient 3's transfer packet was sent with Patient 4, who had been transferred to another facility. The transfer packet included Patient 3's name, date of birth, age, sex, account number, medical record number, admit date, location while in facility, discharge diagnosis, allergies, diet, medications, consultation reports, emergency room report, history & physical, laboratory reports, and diagnostic imaging reports. (CA00364142)These failures resulted in a breach of Patient 2 and 3's PHI and the potential for abuse of that information.Findings:CA003634781) On 8/23/13 at 10:14 a.m., during a telephone interview, the Health Information Manager Director (HIM Director) stated Registered Nurse 1 (RN 1) did not check the patient name on the discharge instructions before giving them to Patient 1 (the wrong patient).Patient 2's PHI breached included: name, account number, medical record number, and location in hospital The hospital policy and procedure titled, "Protected Health Information and Sensitive Information, Safeguarding of," Policy Number IM-312, effective date 2/06, implementation date 12/09, indicated, "It is the policy of [hospital] to comply with state and federal regulations regarding the safeguarding of physical and electronic form of Protected Health Information (PHI). Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity." CA003641422) On 8/23/13 at 9:58 a.m., during a telephone interview, the Health Information Manager Director (HIM Director) stated the PHI for Patient 3 was sent with Patient 4 to another facility. HIM Director stated the Registered Nurse (RN 2) should have checked the patient name on the information against the identification band on the patient's wrist.Patient 3's PHI breached included: name, date of birth, age, sex, account number, medical record number, admit date, location while in facility, discharge diagnosis, allergies, diet, medications, consultation reports, emergency room report, history and physical, laboratory reports, and diagnostic imaging reports. The hospital policy and procedure titled, "Protected Health Information and Sensitive Information, Safeguarding of," Policy Number IM-312, effective date 2/06, implementation date 12/09, indicated, "It is the policy of [hospital] to comply with state and federal regulations regarding the safeguarding of physical and electronic form of Protected Health Information (PHI). Staff shall provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights