Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
EISENHOWER MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 12, 2013. Also cited in 279 other reports.
Report ID: 504711, California Department of Public Health
Reported Entity: EISENHOWER MEDICAL CENTER
Issue:
Based on interview and document review, the facility failed to ensure their (PHI) Protected Health Information was not disclosed to any entity not authorized to receive the information. This failed practice resulted in unauthorized disclosure of Patient A's demographic information.Findings:An interview was conducted with the Facility Privacy Officer (FPO), on March 12, 2013, at 9 a.m. The FPO stated the breach occurred on January 18, 2013, in the outpatient laboratory registration and waiting area. The FPO stated Patient A registered at the front desk of the laboratory. Patient B registered right after Patient A. The front desk employee gave Patient B the Conditions of Admission and wrist band containing Patient A's information (name, date of birth, medical record number and account number). The breach was brought to the facility's attention, when Patient A walked back to the front desk and asked staff, how much longer she had to wait. Staff noticed that Patient A was not wearing the wrist band and asked the patient why she took it off. Patient A stated she never received a wrist band. At that moment, staff realized something was wrong and notified staff in her department. Staff then realized that Patient B was given Patient A's information and wrist band. The FPO stated procedure to prevent incidents like this from happening included checking two identifiers (full name and date of birth). Staff was to ask the patient for their information, and staff was to verify it against the paperwork, as the patient stated the information requested. The front desk employee did not follow the facility's process and violated two of the facility's policy and procedures. The facility's policy and procedure titled, "HIPPA-Use and Disclosure of Protected Health Information," was reviewed. The policy indicated, "It is the policy of [name of hospital] that the confidentiality of Protected Health Information contained in records and collected pursuant to treatment will be protected to the fullest extent possible. To maintain this confidentiality EMC staff may not disseminate PHI..."The facility's policy and procedure titled, "Patient Identification Policy and Procedure," was reviewed. The policy indicated the purpose of the policy was to accurately identify the individual as the person whom the service or treatment was intended and to match the service or treatment to that individual at the hospital. "Patient identification at [name of hospital] must be performed utilizing at least two of the following patient identifiers prior to an examination, provision of services, communication, treatment of procedures...patient first and last name (checking correct spelling, utilizing active verbal confirmation by asking the patient to spell their name when possible)...Patient birth date utilizing active verbal confirmation..."The facility failed to ensure their policy and procedures were followed by staff to ensure Patient A's Protected Health Information was not disclosed to any entity not authorized to receive the information.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280