Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
EL CENTRO REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 28, 2013. Also cited in 38 other reports.
Report ID: IY9H11.02, California Department of Public Health
Reported Entity: EL CENTRO REGIONAL MEDICAL CENTER
Issue:
Based on interview, record review and document review, the hospital failed to ensure each patient's medical record containing personal and protected health information was safeguarded against unauthorized access and unauthorized use. A total of 161 patients' protected health information (PHI) was unlawfully accessed by someone, and sent out electronically via e-mail (electronic mail) to a publication/press, and 2 other unauthorized recipients. None of the 161 patients affected by the incident had given the authorization for the release of their medical record information.Findings: On 3/28/13, an onsite visit of the hospital was conducted in response to a facility report that on 3/07/13, an anonymous letter containing patients protected health information (PHI) was unlawfully accessed, and disclosed to unauthorized recipients.On 3/28/13 beginning at 8:45 A.M., an interview was conducted with Staff A, the hospital's privacy compliance officer. She confirmed the report, and added that 161 patients were affected by the incident. She stated that someone (unknown person) had accessed the patients' protected health information and released the information electronically via e-mail communication to a publication/press, and 2 other unauthorized recipients. The protected health information included each patient's name, medical record number, account number, date of admission, date of discharge, type of service provided, and name of physicians. Staff A also acknowledged during the interview that none of the 161 patients affected by the incident had authorized the release of their protected health information. To date, the hospital had not confirmed the identity of the person who had unlawfully accessed and released the patients' protected health information.The above incident as it occurred was clearly in violation of the hospital's policies and procedures entitled Access to and Maintenance of Health Record, dated 7/21/11, and Accounting and Disclosure of Protected Health Information, dated 3/28/13. The hospital's policy included a policy statement whereby all patients health records should be used only within the facility for direct patient care by all authorized personnel who have legitimate need for access to the health record. The hospital's policy, and the patient's right to privacy and confidentiality of medical record information, were violated when someone accessed the patients' protected health information, and sent out the information via e-mail to unauthorized recipients not involved with patient care.The hospital's policy included a policy statement whereby a written authorization would be obtained from a patient or his/her legal representative prior to access, review and release of protected health information. The 161 patients affected by the incident had not given prior authorization for the release of their protected health record information. The incident resulted to the unauthorized release of patients' health information to unauthorized recipients.The hospital's policy included a policy statement whereby all requests for health records access be directed to the Health Information/Medical Record Department. The Department should provide the requested record for review and/or access. No requests were received and granted by this Department for this purpose. Beginning 3/14/13, letters were sent out by the hospital to 161 patients affected. The letters included the patient notification regarding the hospital's violation of the patient's right to privacy, unauthorized access and release of the patients' protected health record information to unauthorized recipients.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights