Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
EL CENTRO REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 18, 2013. Also cited in 38 other reports.
Report ID: 91J011.02, California Department of Public Health
Reported Entity: EL CENTRO REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to safeguard protected health information (PHI- is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual) from unauthorized person(s) in accordance with their policies and procedures, for 1 of 2 sampled patients (Patient 1). Patient 1's MRI (magnetic resonance imaging - a test that uses a magnetic field and pulses of radio wave energy to make pictures of organs and structures inside the body) order which contained PHI was mailed to the wrong person (Patient 2- unintended recipient).Failure to ensure that each document containing PHI was mailed to the correct patient led to the inadvertent and unauthorized disclosure of Patient 1's confidential and protected health record. This failure was also a violation of Patient 1's right to confidentiality of all communications and record pertaining to health care received at the hospital.Findings: On 9/12/13 at 4:39 P.M., the hospital reported to the California Department of Public Health that Patient 2 received Patient 1's MRI order.Patient 1 was seen at the hospital's outpatient clinic on 8/30/13 per the Facesheet.Patient 2 was also seen at the hospital's outpatient clinic on 8/30/13 per the Facesheet. A telephone interview with the Privacy Officer was conducted on 1/8/15 at 3:00 P.M. The Privacy Officer stated that Patient 1's MRI order was inadvertently given to Patient 2. Per the Privacy Officer, the MRI contained the following confidential patient information: patient name, date of birth, phone number, home address, dates of service, diagnosis, description of procedure, and physician name.A telephone interview was conducted with the medical assistant (MA 1) on 1/9/15 at 8:50 A.M. MA 1 stated that she mailed Patient 1's MRI order to the wrong patient. She stated that both patients (Patient 1 and Patient 2) were seen at the hospital's outpatient clinic on 8/30/13. Per MA 1, both patients were awaiting appointments for a study to be performed. She stated that she mailed Patient 1's MRI order to Patient 2, who was not the intended recipient. MA 1 explained that the clinic's process was to have the patient verbalize their name and then each document was reviewed to ensure that the patient's name was found on each document before the documents were handed to the patient.According to the hospital's policy titled "Access to and Maintenance of the Health Record", dated 3/28/13, indicated that "All individuals engaged in the collection, handling or dissemination of patient health information should protect the confidentiality of patient data...." Per the same policy, it stipulated that "Health records shall be available for use within the facility for direct patient care by all authorized personnel who have a legitimate need for access to the health record."According to the hospital's policy titled "Rights and Responsibilities; Patient", dated 4/9/13, indicated that "... the hospital shall provide processed support <for> the following patient rights." Per the same policy, one of the rights stipulated that "To receive confidential treatment of all communications and records pertaining to the care and the stay in the hospital. The patient will receive a separate [Notice of Privacy Practices] that explains their privacy rights in detail and how we may use and disclose their protected health information...."A telephone interview with the clinic manager (CM 1) was conducted on 1/9/15 at 9:00 A.M. CM 1 stated that she "kind of" recalled this incident. She stated that the clinic's process was to use 2 patient identifiers which were the patient's name and date of birth. She explained that each document was checked to ensure that both the patient's name and date of birth were on each document prior to handing the documents to the patient. Per CM 1, this process was in place to ensure that all confidential patient information (documents) were given to the correct patient. She acknowledged that MA 1 mailed Patient 1's MRI order to the wrong person.A follow-up telephone interview with the Privacy Officer was conducted on 1/9/15 at 9:10 A.M. The Privacy Officer acknowledged that an unauthorized disclosure of confidential patient information occurred when Patient 1's MRI order was mailed to the wrong person (unintended recipient).
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights