Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
MAMMOTH HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 6, 2014. Also cited in 15 other reports.
Report ID: 9GSO11.01, California Department of Public Health
Reported Entity: MAMMOTH HOSPITAL
Issue:
Based on interview and record review, the facility failed to ensure that a patient Access Representative (Employee 1) followed facility policies and procedures to protect the health information for Patient A when Employee 1 breached the electronic health record (EHR- the clinical documentation portion of the patient's record which included lab results) for Patient A and viewed confidential test results related to Patient A's unborn baby on August 6, 2013.This resulted in a breach of protected health information (PHI) for patient A.Findings:On July 23, 2014 at 3:30 PM, a telephone interview and concurrent review of the facility's "Incident Report" was conducted with the Facility's Privacy Officer (FPO) to investigate an entity reported incident of a breach of PHI for Patient A. The FPO stated that on August 9, 2013 during an interview with Patient A and Patient A's aunt, Patient A indicated that Employee 1, knew the test results that indicated that Patient A was having a Down Syndrome baby (a condition in which extra genetic material causes delays in the way a child develops, both physically and mentally) and that Employee 1 may have shared that information with the preachers wife. Patient A and Employee 1 attended the same church. The FPO stated that her investigation was unable to verify through interview that Employee 1 had shared any information with the preachers wife indicating that Patient A was having a Down Syndrome baby .The FPO further stated that during an interview with Employee 1 on October 1, 2013, Employee 1 confirmed that Patient A's mother and Employee 1's father were cousins and that Patient A and Employee 1 attended the same church and that Employee 1 knew that Patient A was pregnant and that her baby may have Down Syndrome, but heard the news from a relative. Employee 1 denied that she had accessed Patient A's EHR. During the FPO's review of the access log for Patient A's EHR on October 2, 2013, she was able to confirm that Employee 1 had breached Patient A's confidential protected health information on August 6, 2013 and viewed referral documentation and "Prenatal Screening Results" for Patient A, that indicated that Patient A's baby was at a high risk for having Down syndrome."Employee 1 was discharged from the facility on October 7, 2013. On July 23, 2014, a review of document's breached for Patient A included:1. "Maternal-Fetal Medicine Fax Referral Form", dated July 24, 2013. The document was a referral request for Patient A, from (name of clinic) to (name of hospital facility). The document indicated that Patient A was seventeen (17) weeks pregnant with an estimated due date (EDD) of January 1, 2014 and under the heading "Other: "(19 year old with positive screen; Downs 1:26." 2. "Prenatal Screening Results" dated July 23, 2013 and July 24, 2014 that included 1st trimester and 2nd trimester data related to Patient A's pregnancy that included weight, date of birth, race, and blood collection dates and test interpretations indicating "Down Syndrome Risk Assessment ***Screen Positive-Increased Risk***. Based on the patient's age and test results, her mid-trimester risk is 1:26."The PHI breached for Patient A included as follows:Name, address, phone number, ethnicity, date of birth, insurance information, last menstrual period, estimated due date, weeks pregnant, medical record number, documentation that Patient A had a positive screen for Downs 1:26, and referral information for genetic counseling, sonogram and amniocentesis (a process by which patients at risk of an inherited disorder are of advised of the consequences and nature of the disorder, using the reflections of high frequency sound waves to construct an image of a body organ and removal of fluid from the sac in the womb around the baby ), Trisomy 21 (Down Syndrome) and consultation with perinatologist (a specialist doctor concerned with the care of the mother and unborn baby at high risk for complications) and sonogram.A review of facility policy and procedure titled "Release of Protected Health Information", effective date March 29, 2013 indicated:"No person without a legitimate "need to know" reason directly related to patient care or to the bona fide interest of (facility name) will be granted access to patient information in any form or at any time. Persons who attempt to access patient information without authorization will be subject to immediate disciplinary action and possible immediate dismissal."Therefore, the facility failed to prevent access to confidential medical record information and safeguard Patient A's medical record against use by unauthorized individuals.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights