Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Adventist Medical Center
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 17, 2012. Also cited in 29 other reports.
Report ID: Y2IX11, California Department of Public Health
Reported Entity: ADVENTIST MEDICAL CENTER
Issue:
Based on staff interview, facility and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's discharge instructions were mistakenly given to Patient 2's mother.2. Patient 3's discharge instructions were mistakenly given to Patient 4.3. Patient 5's discharge instructions were mistakenly given to Patient 6.4. Patient 7's Emergency Room (ER) medical record was mistakenly faxed to a private business.These failures placed the PHI for Patient 1, 3, 5 and 7 at a potential risk for unauthorized use.Findings:Refer to CA003073131. On 5/17/12 at 4:05 p.m., Staff 1 (Privacy Officer) stated on 4/14/12, during the discharge process Staff 2 (Registered Nurse) mistakenly gave Patient 1's discharge instructions to Patient 2's mother. Staff 1 stated Staff 2 should have checked the patient's identification band to ensure the right patient was receiving the right documents.On 5/21/12 at 9:40 a.m., Staff 1 stated the discharge instructions contained Patient 1's name, date of birth, date of service, phone number, medical record number, account number, diagnosis, attending physician and generalized care instructions.The facility policy and procedure number 1000.08.09 titled Confidentiality of Protected Health Information contained the following documentation: "Adventist Health is committed to protecting the privacy and security of protected health information (PHI)...It is the policy to maintain confidentiality for patients and employees at all times and under all circumstances. This commitment must be supported by working to see: That access to the medical record is restricted based on the minimum amount of protected health information (PHI) necessary to accomplish the intended purpose of any use, disclosure or request; That access to the medical record can be managed through concurrent controls and retrospective auditing in order to safeguard the information that it contains; That PHI in all other forms, including oral, is maintained in confidence. "Refer to CA003073222. On 5/17/12 at 4:05 p.m., Staff 1 (Privacy Officer) stated on 4/16/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed on 4/8/12, during the discharge process Staff 3 (Registered Nurse) mistakenly gave Patient 3's discharge instructions to Patient 4. Staff 1 stated Staff 3 should have checked the patient's identification band to ensure the right patient was receiving the right documents.On 5/21/12 at 9:40 a.m., Staff 1 stated the discharge instructions contained Patient 3's name, date of birth, date of service, medical record number, account number, diagnosis, attending physician and general care instructions.The facility policy and procedure number 1000.08.09 titled Confidentiality of Protected Health Information contained the following documentation: "Adventist Health is committed to protecting the privacy and security of protected health information (PHI)...It is the policy to maintain confidentiality for patients and employees at all times and under all circumstances. This commitment must be supported by working to see: That access to the medical record is restricted based on the minimum amount of protected health information (PHI) necessary to accomplish the intended purpose of any use, disclosure or request; That access to the medical record can be managed through concurrent controls and retrospective auditing in order to safeguard the information that it contains; That PHI in all other forms, including oral, is maintained in confidence. "Refer to CA003087543. On 5/17/12 at 4:05 p.m., Staff 1 (Privacy Officer) stated on 4/8/12, during the discharge process Staff 4 (Registered Nurse) mistakenly gave Patient 5's discharge instructions to Patient 6. Staff 1 stated Staff 4 should have checked the patient's identification band to ensure the right patient was receiving the right documents.On 5/21/12 at 9:40 a.m., Staff 1 stated the discharge instructions contained Patient 5's name, date of birth, date of service, phone number, medical record number, account number, diagnosis, attending physician and general care instructions.The facility policy and procedure number 1000.08.09 titled Confidentiality of Protected Health Information contained the following documentation: "Adventist Health is committed to protecting the privacy and security of protected health information (PHI)...It is the policy to maintain confidentiality for patients and employees at all times and under all circumstances. This commitment must be supported by working to see: That access to the medical record is restricted based on the minimum amount of protected health information (PHI) necessary to accomplish the intended purpose of any use, disclosure or request; That access to the medical record can be managed through concurrent controls and retrospective auditing in order to safeguard the information that it contains; That PHI in all other forms, including oral, is maintained in confidence. " Refer to CA00310829.4. On 5/17/12 at 4:05 p.m., Staff 1 (Privacy Officer) stated on 5/14/12 Staff 5 (Health Information Analyst) mistakenly faxed Patient 7's ER record to a private business. Staff 1 stated it was Staff 5's responsibility to verify fax numbers when faxing PHI and to ensure PHI is faxed to the correct destination. On 5/21/12 at 9:40 a.m., Staff 1 stated the ER record contained Patient 7's name, date of birth, address, phone number, date of service, medical record number, account number, attending physician, diagnosis, medical history, medication, treatment, medical imaging report and laboratory results.The facility policy and procedure number 1000.08.09 titled Confidentiality of Protected Health Information contained the following documentation: "Adventist Health is committed to protecting the privacy and security of protected health information (PHI)...It is the policy to maintain confidentiality for patients and employees at all times and under all circumstances. ...Breach of patient confidentiality through carelessness is when patient information is unintentionally or carelessly accessed, reviewed, or revealed without a legitimate need to know the patient information." The facility's policy and procedure number 1000.03.14, titled "Faxing Patient Protected Health Information contained the following documentation: "It is the sender's responsibility to be aware of the content of the faxes they are sending, to exercise caution in faxing confidential information, and to take precautionary steps to: validate the fax number, key in correct fax number, confirm fax sent to correct fax number, as well as, request is appropriate and meets minimum necessary."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights