Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ARROWHEAD REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 13, 2014. Also cited in 9 other reports.
Report ID: NGSD11.01, California Department of Public Health
Reported Entity: ARROWHEAD REGIONAL MEDICAL CENTER
Issue:
Based on interview, and record review, the facility failed to report to the California Department of Public Health, Licensing and Certification Unit (CDPH, L&C) within the regulatory required five business days, when there was a breach of protected health information (PHI) for Patient B, when her discharge instructions and prescription were given to another patient (Patient A). This had the potential to place Patient B at risk for identity theft.Findings:An unannounced visit was made to the facility on March 13, 2014 at 3:30 PM, to investigate an entity reported incident of a breach of PHI for Patient B.During an interview with the facility privacy officer (FPO) on March 13, 2013 at 3:50 PM, he stated, "Patients A and B were being discharged from the emergency room (ER) on February 1, 2014. The nurse gave Patient A, the discharge instructions and prescription intended for Patient B. The breach was discovered when Patient A called the Patient Advocate on February 7, 2014 to complain about her bill, and received the wrong discharge instructions. I was not made aware until February 11, 2014. I called Patient A that same day, and requested that she return the discharge packet and prescription to the facility, which she did the next day."A review of the letter sent to CDPH L&C, dated February 20, 2014, to notify the department of the breach of PHI, was conducted with the FPO at 4:00 PM. This was nine days after the facility had been made aware a breach had occurred, and seven days after it had been addressed to the FPO.The facility failed to notify CDPH L&C and Patient B within five business days, after the breach was detected as per regulation.
Outcome:
Deficiency cited by the California Department of Public Health: HSC Section 1279