Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
KERN MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 4, 2011. Also cited in 23 other reports.
Report ID: O8N711, California Department of Public Health
Reported Entity: KERN MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to protect two patients' (1 and 2) health information when:1. A hospital employee (Registered Nurse [RN] 1) disclosed Patient 1 and 2's protected health information to a private citizen. 2. RN 1 accessed Patient 1 and 2's health information for reasons other than work related business. Findings:During an interview with the Privacy Officer (PO), on 11/4/11, at 3:05 PM she stated "On 10/17/11 we were notified by Child Protective Services (CPS) regarding a patient breach from the hospital. Patient 1 had a baby on 10/2/11 and did a safe surrender." During the interview, the PO said CPS gave the first names of hospital employees who talked to Patient 1 regarding adoption for Patient 2. The PO stated, "It was determined that RN 1 was involved and she (RN 1) then asked RN 2 to give Patient 1her phone number." The CPS report was reviewed on 11/4/11 at 3:54 PM. The "Report of Complaint" indicated that on 10/14/11, Patient 1 reported she wanted to revoke the safe surrender of Patient 2. Patient 1 had been contacted by Private Citizen (PC) 1 and 2 to make arrangements to discuss adopting Patient 2. Patient 1 requested CPS to speak with PC 1. During this time PC 1 reported he was informed by RN 1, that Patient 1 safely surrendered Patient 2, and that he was given Patient 1's contact number. The PO's "Follow Up" Report was reviewed on 11/9/11, at 8:20 AM. It indicated that on 10/20/11 the PO ran an audit trail which reflected that RN 1 accessed Patient 1's electronic medical record (EMR) without authorization. On 10/26/11 another audit trail was run which reflected RN 1 accessed Patient 2's EMR without authorization. On 11/7/11 there was an interview with RN 2, the PO, and Union Representative. RN 2 stated that she was asked by RN 1 to deliver a card with her (RN 1's) name and number to Patient 1. The hospital policy and procedure titled "Confidentiality," dated 6/2011, indicated in part, section III, "Access to, and distribution of, private and confidential information is limited to authorized individuals who have a valid need for information in the performance of their normal job related functions"; employees of the hospital must agree and adhere to the confidentiality policy as a condition of employment; and access to the information system, "...should be provided only to those with a need to know in order to perform their job." V. Procedure: A.1.B. "Employees shall retain information solely for legitimate business purposes."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights