Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
LOMA LINDA UNIVERSITY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 13, 2014. Also cited in 44 other reports.
Report ID: J9XQ11.01, California Department of Public Health
Reported Entity: LOMA LINDA UNIVERSITY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI) when a Licensed Vocational Nurse (LVN 1) transported Patient A's medical records in a sealed envelope, but not in a designated container marked confidential, to her home. The LVN's vehicle was reported stolen on May 14, 2014 and on May 16, 2014 LVN 1 detected the medical records of Patient A were in the vehicle that was stolen.Findings:On November 14, 2014 at 1:00 PM, a phone interview was conducted with the Director of Compliance, Privacy and Security regarding an entity reported incident of a breach of PHI for Patient A that was detected on May 16, 2014. The Director of Compliance, Privacy and Security stated LVN 1's vehicle was reported as being locked when the vehicle was reported as stolen. Inside the stolen vehicle was Patient A's medical record which contained Patient A's PHI. The Director of Compliance, Privacy and Security also stated that LVN 1 was supposed to bring all work related documents into her home and not be left in her vehicle.On December 5, 2014 at 10:00 AM, a phone interview was conducted with the Registered Nurse (RN) Clinical Supervisor regarding an entity reported incident of a breach of PHI for Patient A. The RN Clinical Supervisor stated that LVN 1 did not follow the policy and procedures of the facility. She further revealed the sealed envelope which contained Patient A's medical records were not inside a designated confidential container as per the facility policy and procedure requirements. The RN Clinical Supervisor stated that Patient A was notified of the breach of PHI on May 16, 2014.LVN 1 was unable to be interviewed due to termination of employment. A copy of the letter sent to Patient A, dated May 20, 2014, informing her about the breach of PHI was reviewed.A review of the documents which were in the stolen vehicle (later recovered along with the sealed envelope containing Patient A's medical records) was conducted and indicated the PHI of Patient A included her name, date of birth, medical record number, medical diagnosis and pertinent health data. LVN 1's educational document was reviewed and indicated training in compliance, HIPAA competency and privacy. A document titled "Confidentiality Statement" was signed electronically by LVN 1 and dated February 24, 2012.A review of the facility's policy and procedure titled "Patients' Rights, Protection of Patient Privacy" dated May 2013 reflects under general provisions "All Medical Center employees,...shall be responsible for maintaining the confidentiality of patient information. This responsibility shall include personal observations, oral conversations, the designated record set and its contents, and any other electronically stored or written patient-related data". Under section transport of PHI it reflects "PHI shall not be left unattended in unlocked vehicles (or outside containers designated as confidential) and visible from the outside of the vehicle". It also reflects "The workforce member is responsible for maintaining the privacy and security of all PHI they may be transporting or using off-site".A review of a document dated June 2, 2014 addressed to "Family Care Staff" indicates a notice to reinforce the facility's procedure for transporting patient medical records. At the bottom of the document is writing for staff name, signature and date indicating acknowledgement.A review of a document dated June 2014 that replaces the policy dated June 2012, with subject titled "Protection of Clinical Record Field Notes" reflects a system change put in place after the breach and indicates "Supervisory staff shall perform random inspections of field clinical staff vehicles for the presence of improperly secured patient PHI to determine that procedures are being followed...".The facility failed to ensure the privacy and confidentiality of Patient A's medical records resulting in an unauthorized release of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights