Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Ukiah Valley Medical Center
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 10, 2012. Also cited in 31 other reports.
Report ID: 19ZT11, California Department of Public Health
Reported Entity: UKIAH VALLEY MEDICAL CENTER/HOSPITAL D
Issue:
Based on staff interview and facility record review, the facility failed to ensure that protected patient health information (PHI), was safeguarded from unauthorized use for one patient (Patient 1), when copies of Patient 1's medical records were released to a family member who was not the Durable Power of Attorney ( DPA). Findings:On 3/16/12 at 8:42 a.m., the California Department of Public Health received a faxed report from the facility that a breach of patient health information had occurred on 1/18/12, and the facility had become aware on 3/15/12. During an interview on 4/10/12, at 1:15 p.m., Administrative Staff A stated that on 1/18/12, the Patient 1's son had gone to the facility's medical clinic and requested to have copies of Patient 1's medical records. The son was sent to the facility's medical records department where he told Staff B that his mother, Patient 1, had died. The son had a copy of Patient 1's death certificate and stated he was next of kin and requested copies of Patient 1's medical records. Staff B had the son sign a release, and gave the sone copies of Patient 1's medical records. Review of the facility's unusual occurrence report revealed, on 3/15/12, Patient 1's daughter, who was the Durable Power of Attorney for Patient 1, called the facility and requested copies of Patient 1's medical records. When the daughter was told that her brother had requested copies of Patient 1's medical records, in January 2012, the daughter informed the facility that the records should not have been released to her brother because he was not the DPA, nor had he been named on the Advance Directive for Patient 1. During additional interview on 4/10/12, Administrative Staff A stated the facility's investigation of the incident revealed that Staff B had not looked in Patient 1's chart to see who was the DPA. Staff B and all the medical records staff were re-educated and in-serviced as to the importance of releasing medical records to the right person.Administrative Staff A stated a follow-up letter about the breach was sent to Patient 1's daughter.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280