Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST. HELENA HOSPITAL CENTER FOR BEHAVIORAL HEALTH
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 17, 2012. Also cited in 13 other reports.
Report ID: KE8G11, California Department of Public Health
Reported Entity: ST. HELENA HOSPITAL CENTER FOR BEHAVIORAL HEALTH
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of two patients' (Patient 1 and Patient 3) medical information when: A) Patient 1's chart was sent to another California County which was not involved with the patients' care; and B) Patient 3's inhaler, with attached medical prescription information, was placed in Patient 4's personal belongings. These failures allowed the unlawful or unauthorized access to two patients' medical information. Findings:#1. CA00329462The California Department of Public Health was notified on 10/16/12 that a, "Breach of Protected Health Information (PHI)", occurred on 10/9/12.During an interview on 10/17/12 at 11:00 a.m., Administrative Staff A stated that she received an e-mail, on 10/10/12, indicating that Utilization Review Staff had mailed Patient 1's chart, on 10/9/12, to a California County's billing department to collect payment for the patient's stay at the facility. Administrative Staff A further stated that Patient 2's chart was supposed to have been sent instead and that Utilization Review Staff C had made a human error and grabbed the wrong chart in haste and mailed it. Review of the facility Policy and Procedure for "Workforce Awareness and Compliance Related to HIPAA Privacy Rule" (dated 10/4/02) reveals the following: "Under basic legal principles of respondeat superior, an employer is legally responsible for the behavior (and misbehavior) of its workforce...The HIPAA Privacy and Security Rules mandate that every covered entity have necessary and appropriate protections in place to control access to protected health information (PHI) and to prohibit unauthorized access to and dissemination of such information. Privacy cannot be protected unless the provider, payer and health plan takeappropriate steps to guard that information and make reasonable and appropriate efforts to see that members of the workforce comply with privacy and security policies and procedures".#2 CA00329466 The California Department of Public Health was notified on 10/16/12 that a, "Breach of Protected Health Information (PHI)", occurred on 10/10/12.During an interview on 10/17/12 at 11:30 a.m., Administrative Staff A stated that she received an e-mail, from Licensed Staff D, on 10/11/12, indicating that, on 10/10/12, Patient 4 had been discharged from the facility to an outside Crisis Residential facility with Patient 3's belongings intermingled with Patient 4's personal belongings.During an interview on 10/17/12 at 11:45 a.m., Administrative Staff B stated that on admission, to their facility, the patient and their belongings are searched for items not allowed in the facility. These "illegal" items (sharp objects, medications, banned substances) are then placed in a plastic bag which is labeled with the patients name and sealed. Subsequently the "illegal" items package is filed, by last name, in a locked and secured area. On patient discharge the locked up "illegal" items package is returned to the patient it belongs to as they walk out the door.Administrative Staff B further stated that when Patient 3 was discharged home, on 10/5/12, her "illegal" items package, filed by last name in a locked and secured area, could not be located and Patient 3 went home without some of her belongings, which included a medicated inhaler with the prescription label/information attached. Subsequently Patient 3's belongings were found and placed at the nursing station desk, on 10/10/12, for Patient 3's family to pick up.Administrative Staff B continued her statement that, on 10/10/10, Patient 4 was discharged to an outside facility and due to hasty human error, Patient 3's "illegal" items package was placed in Patient 4's belongings as he walked out the door. Patient 4 did not notice the mix-up until he arrived at the Crisis Residential facility and he and his belongings were searched for items not allowed in that facility. Patient 3's "illegal" items package was returned to the facility for pickup by Patient 3's family.Review of the facility Policy and Procedure for "Discharge Of Inpatient" (dated 2/12), reveals the following: "3. Assist the patient to gather belongings including: Personal belongings from patient's room or property storage room, Medications stored in Pharmacy, Patient's own medications kept in medication rooms * Valuables kept in safe keeping-check Valuables Receipt * Prescriptions * Sharps, glass, etc. stored in medication room or other area of safekeeping".Review of the facility Policy and Procedure for "Workforce Awareness and Compliance Related to HIPAA Privacy Rule" (dated 10/4/02), reveals the following: "Under basic legal principles of respondeat superior, an employer is legally responsible for the behavior (and misbehavior) of its workforce...The HIPAA Privacy and Security Rules mandate that every covered entity have necessary and appropriate protections in place to control access to protected health information (PHI) and to prohibit unauthorized access to and dissemination of such information. Privacy cannot be protected unless the provider, payer and health plan takeappropriate steps to guard that information and make reasonable and appropriate efforts to see that members of the workforce comply with privacy and security policies and procedures".
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280