Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
KAISER FOUNDATION HOSPITAL-MORENO VALLEY
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 9, 2013. Also cited in 13 other reports.
Report ID: MMBR11, California Department of Public Health
Reported Entity: KAISER FOUNDATION HOSPITAL-MORENO VALLEY
Issue:
Based on interview and record review, the facility failed to ensure all patient protected health information (PHI) was kept protected, which resulted in the unauthorized access of the patient's confidential information (Patients 2 and 4). Patient 2's and 4's confidential information was given to Patient 3 sometime during her facility stay from September 15 through 18, 2011. This resulted in the unauthorized disclosure of Patient 2's and 4's protected health information.Findings:On October 9, 2013, at 1 p.m., an interview was conducted with the Manager Intensive Care Unit (MICU). The MICU stated:a. On September 18, 2011, Patient 3 was discharged from the facility. b. On September 23, 2013, Patient 3 was going through her paper work at home from her hospitalization in September 2011, and discovered medical records for Patients 2 and 4 in her records.c. On September 23, 2013, Patient 3 returned the records to the facility's Continuous Ambulatory Peritoneal Dialysis (CAPD) Department during a regular appointment and the CAPD staff notified the facility compliance officer.d. Patient 3 stated she reviewed the records and one of the patient's had the diagnosis of AIDS.The Patient 3 received and had an opportunity to view Patient 2's PHI, which included name, medical record number, history, diagnoses, medications, race and language preference.Patient 2 was informed of the disclosure of his protected health information (PHI) via a telephone call from the MICU, on September 26, 2013, and a letter dated and mailed on September 26, 2013, to Patient 2's last known address.The Patient 3 received and had an opportunity to view Patient 4's PHI, which included name, medical record number, encounter number, admit date, physician's name, orders for treatment, age, gender, past facility visits, and diagnoses.Patient 4's responsible party was informed of the disclosure of Patient 4's protected health information (PHI) via a telephone call from the MICU, on September 26, 2013, and a letter dated and mailed on September 26, 2013, to Patient 4's responsible party.The California Department of Public Health (CDPH) was notified via a telephone call of the unauthorized access of Patient 2's and 4's PHI, on September 27, 2013; and a letter dated September 30, 2013, and received October 3, 2013.The facility policy and procedure titled "Notification Regarding Breaches of Protected Health Information" revised June 2013, revealed "... A Licensee must report to DPH (California Department of Public Health) any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information, as defined, no later than 5 business days after the facility detects the above occurrence. ... A Licensee must also notify the affected patient (or, as applicable, the patient's representative) at the last known address, no later than 5 business days after the Licensee detects the unlawful or unauthorized access to, or use or disclosure of, the patient's medical information. ..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280