OCEANSIDE - A top official at Tri-City Medical Center said Friday that some employees at the hospital violated federal privacy policies by using personal cell phones to take pictures of private medical records.

Suellyn Ellerbe, the hospital's chief operating officer, said that after an extensive investigation of two separate incidents last month, "10 employees were discharged and several others were disciplined."

The executive said the hospital met with five nurses Friday for what she called "termination hearings," where employees can review the reasons they were fired and voice their objections.

"The hearings will probably continue into next week," Ellerbe said. The other five employees -- three secretaries and two technicians -- will also have similar hearings.

Hospital administrators said they were first informed of inappropriate employee activity on April 18. Ellerbe said that a security guard saw an employee attempt to take a picture that day of a patient in Tri-City's emergency room with a camera built into a cellular telephone.

She said the security guard was able to stop the employee, who was not a nurse, from taking the photo before notifying emergency room managers of the foiled photo attempt.

"The photograph was not taken," Ellerbe said, adding that hospital policy forbids cell phones in the hospital's emergency room.

Ellerbe would not say why the hospital employee tried to take a picture of the patient, citing patient confidentiality. She said the employee who tried to take the photograph was put on immediate administrative leave because it is against hospital policy to use a cell phone with a camera inside the hospital.

Ellerbe said the foiled incident spawned a hospitalwide investigation to root out any other employees who might be violating privacy laws. That investigation turned up more camera phone abuse.

Ellerbe said, for example, that several nurses informed investigators that some employees viewed, printed and photographed a patient's X-ray without proper authorization.

Ellerbe declined to state what was so interesting about the X-ray that it would command the attention of so many hospital employees.

"I cannot discuss that, because I might end up disclosing patient information," Ellerbe said.

A federal law, the Health Insurance Portability and Accountability (HIPAA) Act of 1996, requires health care organizations and their employees to keep all patient information confidential.

Arthur Gonzalez, Tri-City's president and chief executive officer, said Friday that simply gaining access to patient records, without a valid medical reason, violates the act.

"Unless you have a reason to access that record, then you have no business getting involved," Gonzalez said.

Gonzalez said the X-ray had no name, Social Security number or other information on it that could indicate to whom it belonged.

The Office for Civil Rights, a division of the U.S. Department of Health and Human Services, is responsible for enforcing the patient confidentiality act.

Gonzalez said the hospital contacted representatives with the Centers for Medicare and Medicaid Services, a division of the state Health Services Department, to determine if the privacy lapse should be reported.

"They told us that since no personally identifiable information made it outside the hospital, it was not required to be reported," Gonzalez said.

No one from the Office for Civil Rights or the Health and Human Services Department was available Friday to comment.

Alan Zamansky, of the California Office of HIPAA Implementation, said Friday that just because there was no name or identification number attached to the X-ray does not necessarily mean that it could not be attached to a person.

"If a person knew that someone had been seen with that condition that was shown on the X-ray at that particular time, then it is possible there could be an identification," Zamansky said.

Pam Dixon, president of the World Privacy Forum, a public health research group based in Carlsbad, said Friday that hospitals have a duty to protect patents' records.

"It is inconceivable to me that any nurse or health care provider would take a picture of an X-ray that is in someone's file," Dixon said.

Gonzalez said he agreed, adding that Tri-City has tried its best to keep all records confidential.

He said each employee hired at the hospital must sign a confidentiality agreement and undergo privacy training when hired. The hospital also maintains a "values line," which employees can use to anonymously report any privacy violation they observe. In addition, he said the hospital routinely audits its computerized records system to make sure that no one is accessing files inappropriately.

"I think that, in this case, we had a very regrettable thing happen," Gonzalez said. "But I am encouraged that we were able to detect this immediately and take immediate action to prevent this from getting outside the building."

He said the impending firings should reinforce the idea that Tri-City takes patient privacy seriously.

"We have a zero-tolerance policy for this kind of thing," Gonzalez said.

- Contact staff writer Paul Sisson at (760) 901-4087 or psisson@nctimes.com.