Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
HEMET VALLEY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 31, 2012. Also cited in 39 other reports.
Report ID: UY8Z11, California Department of Public Health
Reported Entity: HEMET VALLEY MEDICAL CENTER
Issue:
Based on interview and document review, the facility failed for two patients (Patient A and B) to ensure PHI was not disclosed to an entity not authorized to receive the information. This failure had the potential to result in the misuse of the patients' PHI.Findings: On May 24, 2012, the facility submitted information to the CDPH to report a privacy breach related to a misdirected fax. A review of the information submitted by the facility indicated:On May 18, 2012, the facility was notified that an unintended recipient had received patient identifiable information via a fax on May 4, 2012:The documents were being faxed to a skilled nursing facility for potential placement;Patient A's documents included fax cover sheet, CBC results, SNF Transfer Orders and Reports, History and Physical, and Inpatient Admission Registration sheet;Patient B's documents included Patient B's fax cover sheet, Cumulative Laboratory Summary, Medication Administration Record, History and Physical, and Inpatient Registration Sheet; andPatient identifying information contained in the medical record documents included: Patient name, account number, medical record number, date of birth, age, sex, room number, name of test, date of test, physician name, clinical information diagnostic impression and plan for care. The information also included the patients' demographic information. On August 31, 2012, at 11:30 a.m., an unannounced visit was made to the facility to investigate this breach of PHI.In an interview with Case Manager 1, on August 31, 2012, at 11:45 a.m., the Case Manager stated there were no predialed numbers on the fax machines and she was unsure if there was a policy for faxing. The Case Manager stated when she faxed an item to an outside entity; she would verify the number with the facility, send with fax cover sheet (with privacy statement) and, call to confirm that documents reached the intended recipient. On September 10, 2012, at 2:40 p.m., the facility's Health Information Manager was interviewed. The HIM stated an investigation into the incident revealed the fax numbers were transposed, resulting in the documents being sent to a private party. The unintended recipient reported she had received the fax documents containing patient identifiable information. The facility's policy and procedure titled "External Faxing of "Protected Health Information," with a last reviewed/revised dated of May 2012, indicated "All staff who fax PHI will be required to accurately and completely fill out a Fax Cover Sheet and have a "Time Out" performed prior to the information being faxed. The facility's policy and procedure titled "Breach of PHI-Notification Requirements," with a created date of November 2010, indicated "Individually identifiable," was medical information including any element of personal identifying information sufficient to allow identification of an individual. "Unlawful or Unauthorized Access," means inappropriate access, review, or viewing of patient medical information without a direct need for the information.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280