Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
MENIFEE VALLEY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 8, 2015. Also cited in 14 other reports.
Report ID: K7W011, California Department of Public Health
Reported Entity: MENIFEE VALLEY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure all patient protected health information (PHI) was kept protected, which resulted in the unauthorized access of the patient's confidential information (Patient 1). Patient 1's confidential information was given to Patient 3's responsible party when Patient 3 was discharged from the facility on March 31, 2015. This resulted in the unauthorized disclosure of Patient 1's protected health information (PHI).Findings:On April 1, 2015, at 8:12 a.m., a telephone interview was conducted with a family member for Patient 3. Patient 3's family member stated they were in receipt of Patient 1's discharge instructions, which included Patient 1's name, medical record number, date of birth, and current medication. Patient 3's family member stated Patient 1's discharge instructions had been stapled to Patient 3's discharge instructions on March 31, 2015, when Patient 3 was discharged from the facility. Patient 3's family member stated they informed the facility of the breach in Patient 1's PHI on April 1, 2015.On April 24, 2015, at 8:09 a.m., an interview was conducted with the Director Health Information Management (DHIM). She stated: a. On March 31, 2015, Patient 3 was discharged from the facility and discharge instructions were provided to the patient and the patient's responsible party.b. On April 1, 2015, Patient 3's responsible party contacted the facility Director Emergency Department/Inpatient Services (DEDIS) via telephone to inform her they were in receipt of Patient 1's discharge medication information.c. On April 22, 2015, Patient 3's responsible party returned to the facility and provided a "copy" of the documents that had been given to Patient 3/Patient 3's responsible party on March 31, 2015, and which were the PHI belonging to Patient 1. Patient 3's responsible party opted to keep the original documents, belonging to Patient 1, and given to Patient 3 at the time of discharge from the facility.d. The Registered Nurse (RN) who handed the discharge instructions to Patient 3/Patient 3's responsible party, on March 31, 2015, had not followed the facility policy of verifying the correct documents were being given to the correct patient prior to giving Patient 3/Patient 3's responsible party the documents.Patient 3/Patient 3's responsible party received and had an opportunity to view Patient 1's PHI, which included name, medical record number, account number, date of birth, date of service, physician's name, and information about a medication being prescribed for the patient.Patient 1 was informed of the disclosure of her protected health information (PHI) via a letter dated and mailed on April 15, 2015, to her last known address.The California Department of Public Health (CDPH) was notified via a facsimile received on April 16, 2015, of the unauthorized access of Patient 1's PHI.The facility policy and procedure titled "Discharge" revised/reviewed September 2013, revealed "... Identify the patient using two (2) patient identifiers. ... Teach procedures, medications and appointments for home care. Explain and write activity restrictions, diet and when to call the physician. Provide the patient a copy of written instructions. ..."The facility policy and procedure titled "Breach of PHI - Notification Requirements" revised/reviewed January 2015, revealed "... The Hospital shall report in writing, by facsimile and certified mail, return receipt requested, any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information to the nearest regional office of the California Department of Public Health no later than fifteen (15) business days after the unlawful or unauthorized access, use, or disclosure has been detected by the Hospital. ... The Hospital shall also report in writing, by facsimile and certified mail, return receipt requested, any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information of the affected patient or the patient's representative at the last known address, no later than fifteen (15) business days after the unlawful or unauthorized access, use, or disclosure has been detected by the Hospital. ..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280