Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
HEMET VALLEY MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 31, 2013. Also cited in 39 other reports.
Report ID: B3CC11.01, California Department of Public Health
Reported Entity: HEMET VALLEY MEDICAL CENTER
Issue:
Based on interview and facility document review, the facility failed to prevent unauthorized access and/or disclosure of Patient 1's medical information, when Patient 1's laboratory results were sent with Patient 2 upon transfer to a Skilled Nursing Facility (SNF). This failure had the potential to result in misuse of private/protected information.Findings:On October 31, 2013, at 11 a.m., the Director of Quality (DQ), was interviewed. The DQ stated Patient 2 was transferred to a SNF on June 13, 2013. The SNF notified the facility they had received lab results for another patient (Patient 1) within the transfer paperwork for Patient 2, and had shredded the documents. The SNF did not identify the name of Patient 1. The DQ stated the nurse, who received the phone call from the SNF, filled out a report using the internal reporting process on June 14, 2013. The DQ stated the report generated email notifications to the quality department as well as the manager of the unit in which the report generated from. The DQ stated during routine reviews of the status of internal reports, on July 10, 2013, she found the potential breach had not been investigated or reported.In a concurrent interview with the PO, she stated the quality department notified her of the potential breach on July 10, 2013 (32 days after the incident was first reported to the facility). The PO stated she investigated the incident, and was able to determine a breach had occurred. She stated laboratory reports contained the name, date of birth, medical record number, and lab results of the patient. However she was unable to view the exact report because it had already been shredded. In addition, she was unable to determine the name of Patient 1, and therefore was unable to notify the patient. The facility policy titled "Breach of PHI - Notification, dated November 2010, indicated "Individually identifiable means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as patient's name..., or other information that, alone or in combination with other publicly available information, reveals the individual's identity."The policy further indicated, "Unlawful or Unauthorized Access means the inappropriate access, review, or viewing of patient medical information without a direct need for medical diagnosis, treatment, or other lawful use..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280