Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SHARP CHULA VISTA MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 26, 2014. Also cited in 46 other reports.
Report ID: R0XP11, California Department of Public Health
Reported Entity: SHARP CHULA VISTA MEDICAL CENTER
Issue:
Based on interview, record and document review the hospital failed to ensure that Patient 1's personal and protected health information (PHI) was kept confidential when a Certified Nurse Assistant (CNA) 1 inappropriately accessed Patient 1's medical record. CNA 1 accessed the hospital's electronic medical record (EMR) without a business purpose or direct medical need. As a result of this failure, CNA 1 had direct access to Patient 1's personal and medical information.Findings:An onsite investigation of an entity reported privacy breach was initiated on 2/26/14. It was reported to the California Department of Public Health that, on 1/13/14 an employee had inappropriately accessed Patient 1's medical information without authorization or a "business need to know." On 2/26/14 at 2:40 P.M., an interview was conducted with the Risk Management (RM). The RM stated that Patient 1's family member had voiced a complaint on 1/14/14 and that prompted an investigation. The RM stated that the Human Resources department reviewed the EMR activity log and confirmed that CNA 1 had accessed Patient 1's medical record on 1/13/14 and 1/14/14. The RM stated that CNA 1 had accessed the following information from Patient 1's medical record;Patient 1's name and date of birth, home address, admitting diagnosis, history and physical, physician and nursing progress notes, prior admission history and the names of Patient 1's primary and attending physicians.A review of CNA 1's employee record revealed that on 7/5/13, CNA 1 had training on the access, use and disclosure of patient health information. This same file revealed a letter dated 1/29/14 to CNA 1 that indicated "After careful consideration, and a thorough investigation...the decision to terminate your employment.... effective 1/29/14." On 2/26/14 at 3:20 P.M., an interview was conducted with the Director of Acute Care (DAC). The DAC stated that CNA 1 had asked for an update from Patient 1's primary nurse. The primary nurse refused and told CNA 1 due to HIPPA (The Health Insurance Portability and Accountability Act) rules "I can't." The DAC stated that later that same day, CNA 1 went to the same nurse and insisted on an update for Patient 1, but that the nurse again refused. CNA 1 then went to the manager of the floor (PCUM) and requested an update on Patient 1 and that the PCUM refused. The DAC stated that the PCUM spoke with the primary nurse and verified that CNA 1 had requested information about Patient 1. The DAC stated that PCUM had informed her of all CNA 1's request for information on Patient 1. The DAC stated that CNA 1 was questioned by PCUM and that CNA 1 denied that she had accessed Patient 1's medical record. The DAC further stated that this prompted an audit report to be pulled to ensure that CNA 1 had not accessed Patient 1's medical record. The DAC stated that the audit report revealed that CNA 1 had accessed Patient 1's medical record multiple times on two separate days, 1/13/14 and 1/14/14. The DAC stated a meeting was then held with CNA 1, PCUM, DAC and the Director of Human Resources (DHR). CNA 1 only acknowledged she accessed Patient 1's medical record after she had seen the audit log.On 2/26/14 at 4:15 P.M., an interview was conducted with CNA 1. CNA 1 stated that one of her family members had requested CNA 1 to get information about Patient 1. CNA 1 stated that she went to Patient 1's primary nurse but that the nurse would not give her any information. CNA 1 stated that she went into the EMR and "just started clicking", and that she didn't know what she was looking for or looking at, just hoped to get something. CNA 1 stated that later she told her family member that she needed to contact the hospital to get any information. CNA 1 acknowledged that she should not have accessed Patient 1's EMR.A review of the hospital's policy and procedure, entitled "Health Information-Access, use and Disclosure", dated 11/12, indicated "III. TEXT: A. (name of hospital) shall disclose protected health information with authorization of the patient/legal representatives and in accordance with mandated state and federal disclosure requirements. C. (name of hospital) Workforce Access: Access to health information will be limited to: 1. Personnel providing care and treatment..." This policy was not followed with CNA 1 accessed Patient 1's medical and personal record when she was not providing care or treatment to Patient 1. A review of the hospital's policy and procedure, entitled "Investigating and Reporting Allegations of Unauthorized Access of Medical Information", dated 11/12, indicated "III. TEXT: A. (name of hospital) performs both random and focused patient privacy audits to monitor user activity and to detect unauthorized access. Patients' medical information may be accessed only by workforce members who have a business need to know."The CNA's failure to follow the policy and procedure with regards to the access of Patient 1's electronic medical record with a business need to know or providing care and treatment resulted in the unauthorized release of Patient 1's protected health record information. This was also in violation of Patient 1's right to confidentiality of all communications and record pertaining to health care received at the hospital.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights