Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
MAMMOTH HOSPITAL
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 6, 2014. Also cited in 15 other reports.
Report ID: TY7Y11.01, California Department of Public Health
Reported Entity: MAMMOTH HOSPITAL
Issue:
Based on interview and record review, the facility failed to report a breach of protected health information (PHI) to the California Department of Public Health, Licensing and Certification Unit (CDPH, L&C) within five (5) business days as required by regulation. This failure to report could result in delay in the reporting of future breaches.Findings:On July 8, 2014 a review of the facility's "Incident Report" indicated that the breach of PHI for Patient A was detected on March 5, 2013 and Reported to CDPH on March 12, 2013.On July 21, 2014 at 10:20 AM, a telephone interview was conducted with the billing supervisor at the facility's contracted billing company. She stated that the billing department had received a faxed hand written letter from Patient B on January 21, 2013, along with a copy of Patient A's medical bill that Patient B had received in error. The billing supervisor further stated that the letter and Patient A's medical bill were forwarded via email to patient accounting representative (PAR 1) at (facility name) on February 1, 2013 and a telephone phone call from PAR 1 was documented as received by the billing company on February 19, 2013 regarding update on dispute and instructions for the billing company related to this case.On July 21, 2014 at 11:00 AM, during an interview with the FPO, she stated that she was not informed by PAR 1, (mentioned by name) that any notification was received on February 1, 2013 from the billing company regarding a letter and a bill received in error by Patient B for Patient A. The FPO further stated that the first notification she received regarding a breach was on March 5, 2013, when she had received an email from PAR 2 regarding a letter from Patient B and a medical bill received in error by Patient B, intended for Patient A and confirmed that PAR 1 and PAR 2 shared equal responsibility in making notification timely to the FPO upon receipt of information indicating that a breach of Patient A's PHI had occurred. A review of facility "Incident Report" was conducted, it indicated: "I (FPO) asked PAR 2 when she received this information (letter from Patient B and copy of Patient A's medical bill received by Patient B in error) as there was a delay in getting information to me. She was vague in her response, but thought around the beginning of February 2013. She had no explanation why she didn't notify me until March 5, 2013."A facility policy and procedure titled "Reporting Requirements for Privacy and Security Related Incidents" was not in place at the time of occurrence. Effective date was October 23, 2013.Failure of the facility to notify CDPH within 5 business days from the date the breach of Patient A's PHI was detected, resulted in the breach not being reported until March 12, 2013, twenty six (26) business days from the date of detection on February 1, 2013.
Outcome:
Deficiency cited by the California Department of Public Health: HSC Section 1279