Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
LOMA LINDA UNIVERSITY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 13, 2014. Also cited in 44 other reports.
Report ID: 3VR111.01, California Department of Public Health
Reported Entity: LOMA LINDA UNIVERSITY MEDICAL CENTER
Issue:
Based on interview and record review the facility failed to ensure the confidentiality of Patient A's health status and hospital stay when Employee 1, without authorization, disclosed protected health information (PHI) to a member of her family. This resulted in an unauthorized release of Patient A's health informationFindings:On November 14, 2014 at 12:40 PM, a phone interview was conducted with the Director of Compliance, Privacy and Security regarding an entity reported incident of a breach of PHI for Patient A that was detected by the facility on May 13, 2014.The Director of Compliance, Privacy and Security stated that while at her home, Employee 1 disclosed PHI to her daughter when her daughter asked her about their neighbor, Patient A. The facility was made aware of the incident when Patient A's wife reported that a family member of Employee 1 inquired about him being in the hospital when the family member of Employee 1 had no right to know.On December 16, 2014 at 9:00 AM, a phone interview was conducted with the Patient Care Director of the Rehab Unit and the immediate supervisor of Employee 1. The Patient Care Director confirmed Patient A was a patient on the unit that Employee 1 worked on when the breach occurred. The Patient Care Director stated Patient A is a well known member of Employee 1's neighborhood and during a normal course of conversation with her (Employee 1) daughter, the daughter asked about Patient A because she hadn't seen him around. Employee 1 told her daughter that he (Patient A) was doing "ok" and that she had seen him in the unit she worked on. The Patient Care Director stated that Employee 1 acknowledged that she told her daughter that she had seen Patient A on the unit where she worked and also acknowledged that it was wrong to do so. The Patient Care Director stated that Employee 1 did not have authorization to disclose Patient A's PHI.Employee 1 was uninterviewable due to termination of employment.A copy of the letter sent to Patient A dated May 19, 2014 informing him of the unauthorized disclosure of his PHI was reviewed.Employee 1's record of educational courses were reviewed and showed a Confidentiality Statement dated September 12, 2011 and signed by Employee 1.A review of the facility's policy and procedure titled "Patients' Rights" dated May 2013 reflects, "All Medical Center employees, .....,shall be responsible for maintaining the confidentiality of patient information. This responsibility shall include personal observations, oral conversations, the designated record set and its contents, and any other electronically stored or written patient or patient-related data."The facility failed to ensure the privacy and confidentiality of Patient A's health status and hospital stay resulting in an unauthorized release of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights