Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SHARP CHULA VISTA MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on September 11, 2014. Also cited in 46 other reports.
Report ID: R9RD11, California Department of Public Health
Reported Entity: SHARP CHULA VISTA MEDICAL CENTER
Issue:
Based on interview, record and document review the hospital failed to ensure that Patient 1's personal and protected health information (PHI) was kept confidential when a Front Desk Volunteer (FDV) 1 called a friend (F) 1 and informed F1 that Patient 1 had been admitted to the hospital. Patient 1 was a "No Publish (no information allowed to be given). As a result of this failure, F1 received information about Patient 1 that was requested not to be given out and, therefore, the wishes of Patient 1's family were not granted.Findings:An investigation of an entity reported privacy breach was initiated on 9/11/14. It was reported to the California Department of Public Health that on 8/29/14 an employee (FDV) had released information about Patient 1's hospital admission to a friend without the authorization from Patient 1 or Patient 1's family.On 9/11/14 at 1:20 P.M., an interview was conducted with the Manager of Patient Relations (MPR). The MPR stated that F1 called Registered Nurse (RN) 1 and told her that FDV told her that Patient 1 was in the MICU (medical intensive care unit) and asked if she could visit Patient 1. RN 1 then contacted MPR. MPR confirmed that the FDV had been a current volunteer and that Patient 1 was a "No Publish", MPR then contacted Manager of Volunteer Services (MVS). On 9/11/14 at 1:53 P.M., an interview was conducted with the MVS. The MVS stated that MPR informed her that FDV call F1 and gave her information on Patient 1's hospital admission. MVS stated she went to the volunteer desk and removed FDV from her duties after informing her of the breach. MVS stated that FDV stated "I would have told my friend when I got home anyway and I only told her that he was in the hospital and he could not have visitors." MPR stated that all the volunteers received extensive training on "No Publish" and HIPAA (Health Insurance Portability and Accountability Act) and FDV should have not have called F1 about Patient 1. The MVS stated that the volunteers have a hard copy instruction sheet on how to handle visitors with regards to "No Publish" patients. The MVS stated that they also put a line through the name as a secondary indicator of the "No Publish.'On 9/11/14 at 1:40 P.M., an interview was conducted with the Patient Access Service Manager (PASM). The PASM stated that the department received a call from RN 2 that instructed them that Paine 1 was a No Publish. The PASM stated this occurred on admission.On 9/26/14 at 8:53 A.M., an interview was conducted with RN 2. RN 2 stated that when Patient 1 arrived in the ICU (intensive care unit) that she had a conversation with Patient 1's spouse with regards to visitors. Patient 1's spouse requested no information to be given about Patient 1, therefore RN 2 called the admission department to make Patient 1 a No Publish.On 9/26/14 at 9:06 A.M., an interview was conducted with RN 1. RN 1 stated that F1 (related to RN 1) had called and informed RN 1 that Patient 1 was in the hospital and did not think Patient 1 would accept visitors. RN 1 stated that she had told F1 that was a HIPAA violation and asked F1 where she had got the information about Patient 1. RN 1 stated that F1 told her she received that information from FDV. RN 1 further stated that F1 had volunteered at the hospital with FDV. On 11/18/14 at 10:42 A.M., an interview was conducted with FDV. FDV stated that F1 was her best friend and that Patient 1 was also a friend. FDV acknowledged that she know that "No Publish" meant no information was to given out. FDV acknowledged that she should not have called F1 and stated she called F1 and only told her that Patient 1 was in the hospital and "is a no information so no calls or visitors, that was it, that's all I said."A review of the hospitals "Registration Audit Trail", indicated "8/26/14 5:05 P.M., No Publish." A review of the volunteers patient "House List", dated 8/26/14, indicated "Patient 1's name with "NP (no publish)" with a line through the name. A review of the hospital's policy and procedure, entitled "No Information/No Publish Status", dated 02/14, indicated "III. It is the policy of (hospital name) to allow for a no information / no publish confidential account. A no information account prevents all telephone inquiries, flowers, mail, etc., to be received for the patent whose account that is, whiles the patient is in-house.:The FDV's failure to follow the policy and procedure with regards to the "No Publish" for Patient 1, resulted in the unauthorized access of Patient 1's protected health record information. This was also in violation of Patient 1's right to confidentiality of all communications and record pertaining to health care received at the hospital.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights