Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CLOVIS COMMUNITY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on December 17, 2012. Also cited in 27 other reports.
Report ID: IYD611, California Department of Public Health
Reported Entity: CLOVIS COMMUNITY MEDICAL CENTER
Issue:
Based on interview, clinical record and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when Staff 1 accessed PHI for 23 patients without the need to know. These failures placed Patient 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, and 23's PHI at a potential risk for unauthorized use. Findings:On 11/2/12 at 3:57 p.m., the department received a fax from the hospital that indicated Human Resources Department director reported an incident of an employee unauthorized access of patients' medical information.On 12/17/13 at 9:45 a.m., during an interview, the Risk Manager (RM) 1 stated, "It was reported that Staff 1 had looked at several patients electronic medical records without the business need to know." On 12/19/12 at 1:30 p.m., the Privacy Officer (PO) confirmed that Staff 1 had accessed 23 patients' medical records on various dates without authority. The PO indicated the medical records contained confidential medical and personal information. For Patient 1: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 7/16/12. The clinical record contained name, address, date of birth, gender, phone number, medical record number, account number, insurance information, and date of hospitalization. For Patient 2: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 9/5/12. The clinical record contained name, address, date of birth, gender, phone number, medical record number, account number, insurance information, physician's order, and date of hospitalization. For Patient 3: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 9/5/12. The clinical record contained name, date of birth, gender, medical record number, account number, radiology order/results, physician's order, and dates of hospitalization. For Patient 4: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 10/12/12. The clinical record contained name, address, social security number, date of birth, phone number, gender, medical record number, account number, insurance information, physician's order, ECG (electrocardiogram - interpretation of heart electrical activity) results, and dates of hospitalization. For Patient 5: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 7/30/12. The clinical record contained name, date of birth, gender, medical record number, account number, physician order, history and physical, discharge instructions, and dates of hospitalization. For Patient 6: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 6/25/12. The clinical record contained name, date of birth, gender, medical record number, account number, physician order, history and physical, discharge instructions, and dates of hospitalization. For Patient 7: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 6/19/12. The clinical record contained name, date of birth, gender, medical record number, account number, physician order, history and physical, discharge instructions, emergency department visit summary, and date of hospitalization. For Patient 8: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 5/24/12. The clinical record contained name, date of birth, gender, phone number, medical record number, account number, insurance information, lab requisition, and date of hospitalization. For Patient 9: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 5/24/12. The clinical record contained name, date of birth, gender, phone number, medical record number, account number, cardiology (heart) consultation, and date of hospitalization. For Patient 10: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 8/16/12. The clinical record contained name, address, date of birth, gender, medical record number, account number, insurance information, and date of hospitalization. For Patient 11: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 7/13/12. The clinical record contained name, address, social security number, date of birth, gender, phone number, medical record number, account number, insurance information, physician order, and date of hospitalization. For Patient 12: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 6/28/12. The clinical record contained name, address, phone number, date of birth, gender, lab order, and date of hospitalization. For Patient 13: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 8/1/12. The clinical record contained name, date of birth, gender, medical record number, surgery report, and date of hospitalization.For Patient 14: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 8/14/12. The clinical record contained name, date of birth, gender, medical record number, account number, medical genetics consultation, physician order, and dates of hospitalization.For Patient 15: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 7/31/12. The clinical record contained name, address, social security number, date of birth, gender, phone number, medical record number, account number, insurance information, history and physical, and date of hospitalization. For Patient 16: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 7/30/12. The clinical record contained name, address, date of birth, gender, phone number, account number, emergency medical services report, and date of hospitalization. For Patient 17: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 8/23/12. The clinical record contained name, date of birth, physician orders, and date of hospitalization. For Patient 18: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 9/24/12. The clinical record contained name, date of birth, gender, medical record number, account number, aftercare instructions, condition of admission, surgical pathology consultation, insurance information, and date of hospitalization. For Patient 19: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 9/19/12. The clinical record contained name, date of birth, gender, medical record number, account number, endoscopy (a procedure that let the physician see inside the upper gastric cavity) report, and dates of hospitalization.For Patient 20: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 9/25/12. The clinical record contained name, date of birth, gender, medical record number, account number, emergency medical services report, aftercare instructions, and date of hospitalization. For Patient 21: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 10/17/12. The clinical record contained name, date of birth, gender, medical record number, account number, emergency medical services report, aftercare instructions, condition of admission, physician orders, and date of hospitalization.For Patient 22: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 9/24/12. The clinical record contained name, date of birth, gender, phone number, medical record number, account number, insurance information, lab results, and date of hospitalization.For Patient 23: The clinical record was reviewed on 12/19/12. Staff 1 accessed medical record on 10/22/12. The clinical record contained name, date of birth, gender, medical record number, radiology (X-Ray) result, and date of hospitalization. The hospital policy and procedure number 10001 titled "Confidentiality/Breach of Information" dated 8/17/10, contained the following documentation: "II. Policy Detail: A. Confidentiality of patient information: Protected health information is only to be accessed in relationship to an employee's or the health care provider's assigned job duties. Accessing any patient information including but not limited to your own, your family members, or any other individual(s) without a business need to know, without authorization, for unauthorized purposes, or not within your 'scope of assigned duties' is a breach of confidentiality. Access to protected health information is based on the business need to know the information in order to perform your assigned job duties. CMC (Community Medical Centers) may only use or disclose protected health information when the patient has given authorization unless the information is used or disclosed for treatment, payment, healthcare operations or required by law."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights