Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
LOMA LINDA UNIVERSITY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 13, 2014. Also cited in 44 other reports.
Report ID: E1PM11, California Department of Public Health
Reported Entity: LOMA LINDA UNIV MEDICAL CTR EAST CAMPUS HOSPITAL
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI) when a Medical Doctor (MD 1) stapled a document containing Patient A's PHI to Patient B's discharge paperwork. This resulted in an unauthorized disclosure of Patient A's PHI.Findings:On November 14, 2014 at 12:30 PM, a phone interview was conducted with the Director of Compliance, Privacy and Security regarding an entity reported incident of a breach of Patient A's PHI detected by the facility on July 28, 2014. The Director of Compliance, Privacy and Security stated that MD 1 stapled a document which contained Patient A's name, medical record number, pertinent health information, chief complaint, medical diagnoses, and medication names to Patient B's discharge paperwork. The Director of Compliance, Privacy and Security stated that Patient B returned the breached document to the facility on July 28, 2014.The Director of Compliance, Privacy and Security stated that Patient A was notified of the breach of PHI on July 31, 2014.On December 17, 2014 at 3:00 PM, a phone interview was conducted with MD 1. MD 1 stated that the breached document which contained Patient A's PHI is not a document given to patients. MD 1 stated that his normal practice is to use the document to write his notes during his examination and then input the notes in the appropriate patient's electronic medical record. MD 1 stated that as he was preparing Patient B's discharge paperwork it was possible that he stapled the document containing Patient A's PHI to Patient B's paperwork. MD 1 stated it was his responsibility to prepare and provide the discharge documents for Patient B.A copy of the letter sent to Patient A, dated July 31, 2014, informing her about the breach of PHI was reviewed.A review of the breached document indicated the PHI of Patient A included her name, medical record number, pertinent health information, chief complaint, medical diagnoses and medication names.A review of MD 1's educational document indicated training in HIPAA compliance and competency. A document titled "HIPAA Compliance Acknowledgement/Agreement" was signed by MD 1 and dated May 19, 2003.A review of the facility's policy and procedure titled "Patients' Rights, Protection of Patient Privacy" dated May 2013 indicated "All Medical Center employees, members of the medical staff,...shall be responsible for maintaining the confidentiality of patient information. This responsibility shall include personal observations, oral conversations, the designated record set and its contents, and any other electronically stored or written patient or patient-related data."The facility failed to ensure the correct documents were given resulting in an unauthorized release of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights