Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ARROWHEAD REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 21, 2015. Also cited in 9 other reports.
Report ID: ZLDW11, California Department of Public Health
Reported Entity: ARROWHEAD REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patient A, when Patient A's supervisor accessed Patient A's PHI on the facility's computer.Findings:On May 6, 2015 at 10:51 AM, a telephone interview was conducted with Patient A's supervisor regarding an entity reported incident of a breach of PHI for Patient A, detected on March 27, 2015. Patient A's supervisor stated that he was informed his employee (Patient A), was either coming to, or in the Emergency Room (ER). Shortly after he heard the news, he heard that a code (a medical emergency) was called in the ER. The supervisor stated he panicked, and was hoping it was not his employee. He looked Patient A up in the computer to see if he was in the ER yet, and if so, what bed he was in so he could go visit. Supervisor A also stated he forgot to log out of the computer, which is why Patient A's information was logged into for 35 min. He stated he only looked to see if Patient A was in the ER and if so, where Patient A was, and did not view any of the other data.During a review of the documentation on the computer page which was accessed by Employee 1, the computer page contained Patient A's name, age, date of birth, chief complaint, lab orders and results.A copy of a letter mailed to Patient A informing him of the breach of his PHI which occurred on February 3, 2015 was reviewed. The letter was dated April 17, 2015.The facility policy and procedure titled "Uses and Disclosures of Protected health Information" revised, dated October 28, 2010, indicated; "It is the policy of (the facility) that an individual's identifiable protected health information (PHI) may only be used within the (facility) or disclosed to entities outside the (facility) after notification to and /or with the expressed permission of the patient, except in cases of emergency or where specifically permitted or required by law."The facility failed to ensure a computer was not accessed by a supervisor to locate Patient A, resulting in an unauthorized release of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights