Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VICTOR VALLEY GLOBAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 13, 2015. Also cited in 8 other reports.
Report ID: XMO011.01, California Department of Public Health
Reported Entity: VICTOR VALLEY GLOBAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI) when a Emergency Room Director (ER Director) sent via email Patient A's medical documents to Patient B. This resulted in an unauthorized disclosure of Patient A's PHI.Findings:On April 13, 2015 at 10:30 AM, a phone interview was conducted with the Compliance and Privacy Officer (CPO) regarding an entity reported incident of a breach of Patient A's PHI detected by the facility on October 9, 2013. The CPO stated the ER Director was forwarding via email a medical record document of Patient A, which contained Patient A's name, date of birth, age, account number, medical record number, diagnoses, medical procedure name with result, laboratory test name, and medication name with dosage, to a Medical Doctor (MD 1), but it went to an unintended private residence.The CPO stated that Patient A was notified on October 29, 2013 of the breached PHI and provided a copy of the letter.On April 29, 2015 at 9:00 AM, a phone interview was conducted with the ER Director regarding this entity reported incident. The ER Director stated "I forwarded a patient's (Patient A) history and physical document to the email address given to me by MD 1." MD 1 gave me the wrong email address. The ER Director denies mistyping the email address.The ER Director stated the facility learned of the breach on October 9, 2013, when the unintended recipient sent an email back to the facility saying that she (unintended recipient) received the email meant for MD 1 in error.A copy of the letter sent to Patient A dated October 29, 2013 informing him about the breach of PHI was reviewed.A review of the history and physical document for Patient A showed Patient A's name, date of birth, age, account number, medical record number, diagnoses, medical procedure name with result, laboratory test name, and medication name with dose administered.A copy of the email sent by the unintended recipient indicates "This was received in error..." The document is dated October 8, 2013 at 11:10 PM and addressed to the Chief Nursing Officer (CNO).A review of the facility's policy and procedure titled, "Confidentiality of Protected Health Information" dated October 2010, indicated "It is the policy of (name of facility) to maintain confidentiality for patients and employees at all times and under all circumstances." Under number 6: "Protecting PHI: Appropriate levels of protection of confidentiality shall be afforded to all...electronic PHI."The facility failed to ensure Patient A's medical documents were sent to the intended recipient resulting in an unauthorized release of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights