Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SANTA CLARA VALLEY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 24, 2015. Also cited in 90 other reports.
Report ID: LNYT11, California Department of Public Health
Reported Entity: SANTA CLARA VALLEY MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to prevent the unauthorized disclosure of protected health information (PHI) for Patient 1, when a copy of Patient 1's medical record was released to Patient 2. The failure resulted in the disclosure of Patient 1's PHI to an unauthorized individual. Findings:The California Department of Public Health received a faxed report on 8/22/14. The report indicated on 8/15/14 the hospital was notified by Patient 2's family member a copy of Patient 1's medical records had been inadvertently released to Patient 2. Both had similar names. The hospital received a release form for Patient 2's medical records, but had inadvertently released Patient 1's medical records. Patient 2's family member returned to the hospital the copy of Patient 1's medical records. During an interview on 3/24/15 at 12:30 p.m., the hospital's acting compliance and privacy officer (CPO) stated on 8/15/14 Patient 2's family member arrived at the hospital and stated they received medical records for the incorrect patient (Patient 1). CPO stated the hospital received release authorization forms for Patients 1 and 2. The hospital's business associate (BA) released the medical records for both patients. CPO stated on 8/8/14 Patient 2 came to the hospital to pick up his medical records, but needed an interpreter. An interpreter was provided by the hospital. CPO stated a BA staff was in the hospital's records department helping Patient 2 and inadvertently gave Patient 1's medical record, which consisted of 383 pages. CPO stated the BA staff did not ask for Patient 2's identification since the staff member thought the hospital's records department staff had already checked. CPO stated the copy of Patient 1's medical record included Patient 1's orders, history and physical, consultations, therapy evaluations, and progress notes. CPO stated on 8/15/14 Patient 2 returned the copy of Patient 1's medical record to the hospital, and he received a copy of his correct medical record.During an interview on 3/25/15 at 2:30 p.m., the health information clerk (HIC) stated in August 2014, she was asked to translate for Patient 2's family member who stated she had received a copy of the incorrect medical records. HIC stated Patient 2's family member stated the copy of the medical records she received were not correct and believed they belonged to another patient. HIC stated when she looked at the copy of the medical records Patient 2's family member had brought to the hospital, they listed the same name as Patient 1, but the birthdate was different.An attempt was made to contact Patient 1 and Patient 2, but this was not possible since their contact telephone numbers were inoperable.Review of a copy of a letter dated 8/22/14 from the hospital to Patient 1 indicated his medical information was inadvertently disclosed. Review of a copy of an authorization of Patient 1 for release of medical records form dated 4/24/14 indicated authorization to release "All Medical Records" and "Imaging/Imaging Results".Review of a copy of Patient 1's medical records revealed Patient 1's name, medical record number, date of birth, gender, physician's orders, X-ray results, laboratory results, history and physical, physical therapy daily progress notes, treatment notes, and physical therapy discharge summary.Review of a copy of the BA's 10/15/12 "Workflow Diagram Part 2" indicated "error occurred" in the "Packaging/Faxing/E-Delivery Department" where the staff was supposed to verify requestor against request.Review of a copy of the hospital's 12/27/13 "Workforce General Obligations Regarding Uses & Disclosures of PHI" indicated all workforce members must take reasonable steps to safeguard PHI from any unintentional disclosure.Review of a copy of the hospital's 7/11/13 "Patient Identification (Verification)" policy indicated all employees must verify the identity of the patient before providing a patient with their paperwork. The identifiers stated and presented by the patient will be compared for accuracy to the same identifiers as found on hospital documents.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280