Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
EL CENTRO REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 21, 2013. Also cited in 38 other reports.
Report ID: MYZB11, California Department of Public Health
Reported Entity: EL CENTRO REGIONAL MEDICAL CENTER
Issue:
Based on interview, record and document review the hospital failed to maintain the privacy rights for an unknown number of patients. Patient identifiable health information was inadvertently disclosed to third parties when archived x-ray films were released to a contracted service agency. Some of the released x-ray films were then found in an un-planned location and not in the possession of the contracted agency or the hospital. Findings:During an interview on 6/21/13 at 11:30 A.M., the Chief Executive Officer (CEO) stated that, in March of 2012, the hospital had entered into an agreement with an agency that was contracted to process archived x-ray films in a manner that converted the x-ray report information onto digital hard drives. The agreement included that the contract agency would provide certification of the x-ray film destruction, after the digitalized x-ray records were provided to the hospital on hard drives. The CEO stated that the contract agency had rented a local commercial space to conduct the x-ray film processing procedures. The CEO stated that patient x-ray films from "approximately 10 years ago and thousands of reports" were removed from the hospital and taken to the rented commercial space for the digitalization process. The information reflected on the x-ray reports included patient names, dates of birth, addresses, medical record/account numbers, physician names, diagnoses/procedures, x-ray interpretations, health insurance information and social security numbers. The CEO stated that the hospital had not developed or implemented specific procedures for the actual turnover, removal and oversight of the x-ray films by the contracted agency. The CEO stated that the hospital had not maintained documentation or recorded the actual numbers of x-rays removed or the patient names/medical record numbers that were released. The CEO stated that in "late July of 2012" the contract agency was found to have abandoned the rented storage space, leaving behind some of the x-ray films. The CEO stated that the contract agency had not fulfilled the obligations of the agreement and had not provided the hospital with the hard drives and certificate of destruction of the x-ray films. In addition, the CEO stated that, in "late of March of 2013", more hospital x-rays and paper documents were discovered in a warehouse located in another state.A review of the facility policy entitled Access to and Maintenance of the Health Record, dated 3/28/13, included "The Health Information/Medical Records Department will be responsible for retaining the documentation of the designated record set..All individuals engaged in the collection, handling or dissemination of patient health information should protect the confidentiality of patient data...Access to areas housing health information records shall be limited to authorized personnel." During an interview on 6/21/13 at 1:30 P.M., the CEO acknowledged that the hospital had not maintained oversight of patient medical records and x-ray films in a manner that ensured patient privacy and protection from unauthorized access.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights