Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
MAMMOTH HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on September 3, 2013. Also cited in 15 other reports.
Report ID: CXKY11.01, California Department of Public Health
Reported Entity: MAMMOTH HOSPITAL
Issue:
Based on interview and record review, the facility failed to protect the confidential, protected health information (PHI) for Patient A, when a an Emergency Department registered nurse (RN 1) handed a compact disc (CD) which contained laboratory studies for Patient A to Patient B upon discharge from the Emergency Department (ED), without verifying the name. This had the potential to result in a breach of Patient A ' s PHI, and placed the patient at risk for identity theft. FINDINGS:On August 7, 2013, at 4:20 PM, a phone interview was conducted with the facility privacy officer (FPO) to investigate an entity reported incident of a possible breach of PHI for Patient A.On September 3, 2013, a review was conducted of the entity reported incident. The Facility investigation was also reviewed which revealed that on December 3, 2012, at 10:10 AM, Patient B informed the facility she had been given another patient ' s (Patient A ' s) PHI upon discharge from the ED on November 30, 2012. Patient B stated she had not checked the disk [CD containing Patient A ' s laboratory studies) until December 3, 2012, when she realized the information was not hers. Per the facility investigation, Patient A ' s laboratory studies (PHI), on disk, had been left near the reproduction machine. RN 1 picked up the CD believing it was part of Patient B ' s discharge instructions. RN 1 gave Patient B the CD containing Patient A ' s PHI in error, upon discharge. On September 10, 2013, a review was conducted of the facility ' s policy and procedure (P&P), titled, " Emergency Department Release of Information, " revised October 17, 2005. It revealed the following:The purpose of the P&P was to ensure that the patient health record is maintained and handled in a secure and confidential manner, while adhering to all applicable federal and state laws.PHI shall be made available upon request to authorized persons in order to provide continuity of care and to allow for the necessary operations of (facility name).Emergency Department staff are responsible to release information regarding patient ' s current ED visit to the patient upon leaving the ED or when transferring the patient to another facility for continuing patient care. On September 10, 2013, a review was conducted of RN 1 ' s personnel file. It contained a signed confidentiality oath, signed November 1, 2010, training on Patient Rights, Confidentiality, and HIPPA, on February 24, 2011, January 14, 2012, and January 10, 2013. RN 1 was given a verbal reprimand regarding her involvement in the breach. The Facility failed to protect patient rights regarding maintaining the privacy and confidentiality of patient (PHI), which resulted in Patient A being placed at risk of identity theft, when a CD containing laboratory studies for Patient A was released to Patient B without authorization.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights