Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
STANFORD HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 21, 2015. Also cited in 15 other reports.
Report ID: YVF311, California Department of Public Health
Reported Entity: STANFORD HEALTH CARE
Issue:
Based on interview and record review, the hospital failed to prevent the unauthorized disclosure of protected health information (PHI) for one patient (1), when a staff member intentionally accessed the electronic medical record of Patient 1 without a business related reason. The failure resulted in the disclosure of Patient 1's PHI to an unauthorized individual. Findings:The California Department of Public Health received a faxed report on 8/28/14, which indicated on 8/21/14 the hospital discovered a staff member (MA) had accessed Patient 1's electronic medical record without a business related reason. After an internal investigation, the hospital identified MA had accessed Patient 1's medical record disclosing demographic and medical information. MA had not cared for Patient 1, nor had a business related reason to access Patient 1's medical record. Review of a copy of the internal investigation by the hospital indicated an audit indicated MA had accessed Patient 1's medical record for a total of approximately five minutes on 7/23/14 and 7/28/14. "The investigation confirmed unauthorized access to [Patient 1's] record." MA was terminated and placed on the "do not rehire" list.Review of a copy of the audit for access of Patient 1's medical record by MA indicated access on 7/23/14 disclosing demographics and medical reports disclosing dates of service, treating lab, attending physician; and also access on 7/28/14 disclosing demographics and images.During an interview on 1/21/15 at 11:45, the compliance and privacy officer (CPO) stated she had spoken to both Patient 1 and MA about the incident. On 8/21/14, Patient 1 called the hospital and was upset that MA had accessed her medical record. MA had accessed Patient 1's medical record without authorization, and without stating a reason. CPO stated Patient 1 became aware of the unauthorized access of her medical record when MA's family member (FM 1) notified Patient 1's family member. CPO stated Patient 1's demographics, dates of service, treating department, and provider physician had been disclosed. MA told CPO she had accessed Patient 1's medical record and knew she should not have accessed it.Review of a copy of MA's training indicated "confidentiality" training on 7/9/14, "Protecting Patient Privacy...one patient at a time" training on 7/9/14, and hospital "Code of Conduct" training on 7/9/14.Review of a copy of a letter dated 8/28/14 from the hospital to Patient 1 indicated on 8/21/14 MA had accessed Patient 1's medical record without a business related reason. Review of a copy of the hospital's 04/2013 "HIPAA: Internal Access to Protected Health Information" policy indicated access to Protected Health Information (PHI) is limited to that necessary to perform one's job function. Each member of the workforce has the responsibility to ensure his or her access to PHI is appropriate. Access to PHI is limited to only those purposes where one has a need to know subject to the minimum necessary requirement.
Outcome:
Fine imposed and deficiency cited by the California Department of Public Health: Health & Safety Code 1280