Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
MAMMOTH HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 18, 2013. Also cited in 15 other reports.
Report ID: HGQG11, California Department of Public Health
Reported Entity: MAMMOTH HOSPITAL
Issue:
Based on interview and record review, the facility failed ensure the confidential treatment of protected health information (PHI) of Patient A, when a hospital bill with Patient A's PHI, was sent to Patient B, without Patient A's authorization. This placed Patient A at risk for identity theft. FINDINGS:On August 7, 2013, at 4:10 PM, a phone interview was conducted with the facility privacy officer (FPO) to investigate an entity reported incident of possible breach of Patient A's PHI. On October 18, 2013, a review was conducted of the entity reported incident. The Facility investigation was also reviewed which revealed on December 12, 2012, Patient B informed the facility he had received a bill for services which he did not incur. Patient B stated he believed his brother (Patient A) had been seen on the two days listed on the bill. Patient B informed his brother, (Patient A), that his hospital bill had been sent to Patient B in error, at their joint post office box. Per the facility investigation, facility staff identified in the computer both Patients A and B shared the same first and last name, and post office box, only their middle names were different. On August 7, 2013, a review of the bill was conducted. It revealed Patient A's PHI disclosed without authorization to Patient B included: Patient A's name, dates of service, medications and treatments he had received. On October 18, 2013, a review was conducted of facility policies and procedures, " Release of Information, " revised October 17, 2005. It revealed the following:a. "The purpose of the P&P was to ensure access of patient health records to authorized persons while maintaining appropriate levels of security and confidentiality of our patients ' protected health information (PHI)."b. "It is the policy of (hospital) that all physicians and staff preserve the integrity and the confidentiality of our patients ' PHI"On November 12, 2013, a phone interview was conducted with the FPO, who confirmed the incident. The FPO stated that she had contacted their contract billing agency, who had mailed the billing, and was informed that the individual whom changed the name on Patient A's account to Patient B was no longer employed at the agency, and there was no documentation to explain why the name had been changed. The facility failed to clarify that the correct patient name and address were listed in the computer to include a name alert, resulted in the release of Patient A's PHI to Patient B, placing Patient A at risk for identity theft.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights