Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CLOVIS COMMUNITY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 17, 2012. Also cited in 27 other reports.
Report ID: ZZII11, California Department of Public Health
Reported Entity: CLOVIS COMMUNITY MEDICAL CENTER
Issue:
Based on staff interview, facility and administrative document review the facility failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's triage record was mistakenly given to Patient 2.2. Patient 3's identification arm band was mistakenly given to Patient 4.3. Patient 5's claim form was faxed to the wrong payer.This failure placed Patient 1, Patient 3 and Patient 5's PHI at a potential risk for unauthorized use.Findings:Refer to CA002961511. On 2/17/12 at 10:45 a.m., Staff 1 (Privacy Officer) stated on 1/10/12 the facility identified a possible privacy breach. The facility's internal investigation revealed on 12/26/11, Staff 2 (Patient Representative) mistakenly gave Patient 1's triage record to Patient 2. Staff 1 stated Staff 2 did not check the patient's identification band to ensure the right patient was receiving the right documents.On 2/24/12 at 11:22 a.m., Staff 1 stated the triage record contained Patient 1's name, date of birth, date of service, address, phone number, medical record number, diagnosis and social security number.The facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form. ...Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes...The facility may only use or disclose PHI if the patient has given a valid authorization.Refer to CA002963352. On 2/17/12 at 10:45 a.m., Staff 1 stated on 1/11/12 the facility identified a possible privacy breach. The facility's internal investigation revealed Staff 3 (Patient Representative) mistakenly gave Patient 3's identification arm band to Patient 4. Staff 1 stated Staff 3 violated the facility's policy to ensure each patient received the correct identification band. On 2/24/12 at 11:22 a.m., Staff 1 stated the arm band contained Patient 3's name, date of birth, medical record number and account number.On 2/24/12 the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form. ...Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes...The facility may only use or disclose PHI if the patient has given a valid authorization."On 2/24/12 the facility policy and procedure number 12023 titled "Patient Identification," dated 3/15/10, contained the following documentation: "The foundation of providing quality patient care is based on accurate patient identification. Employee interacting with patients is accountable for ensuring proper patient identification."Refer to CA002966573. On 2/17/12 at 10:45 a.m., Staff 1 stated on 1/13/12 the facility identified a possible privacy breach. The facility's internal investigation revealed Staff 4 (Patient Representative) mistakenly faxed Patient 5's claim form to the wrong payer. Staff 1 stated it was staff 4's responsibility to ensure PHI was sent to the correct destination.On 2/24/12 at 11:22 a.m., Staff 1 stated the claim form contained Patient 5's name, date of birth, date of service, address, medical record number, account number, clinical services provided and charges.On 2/24/12 the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form. ...Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes...The facility may only use or disclose PHI if the patient has given a valid authorization.On 2/24/12 the facility policy and procedure number 12108, titled "Facsimile Transmission of Health Information," date 7/26/10, contained the following documentation: "Staff members faxing patient information shall take reasonable steps to ensure that the fax transmission is sent to the appropriate destination.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights