KAISER FOUNDATION HOSPITAL-MORENO VALLEY

Report ID: 18VJ11.02, California Department of Public Health

Reported Entity: KAISER FOUNDATION HOSPITAL-MORENO VALLEY

Issue:

Based on interview and record review, the facility failed to ensure the California Department of Public Health (the Department) was notified of the theft of Patient A's protected health information (PHI) within the mandated time frame for reporting the event. The facility detected the event on January 8, 2015, and reported the event to the Department on February 13, 2015, 36 days later and 13 days after the mandated timeframe for reporting the event.Findings:An interview was conducted with the Director of Accreditation, Regulations and Licensing (DOA) on February 18, 2015, at 10:30 a.m. The DOA stated between the hours of 12:30 p.m., January 4, 2015, and 6 a.m., January 5, 2015, a business associate's office was broken into and a password protected computer was stolen. The DOA further stated there was PHI which was not encrypted for multiple patients on the computer,which included Patient A's PHI.The DOA stated the facility's national compliance offices were notified of the breach on January 8, 2015. The national compliance office did not notify the facility of the breach until February 11, 2015. The DOA further stated the facility subsequently reported it to the Department on February 13, 2015, 36 days later and 13 days after the mandated timeframe for reporting the event.A review of the facility policy, "Notification Regarding Breaches of Protected Health Information (Effective Date: 10/17/2013)," was conducted. The policy indicated, when required by law, the facility is required to notify a government regulator about the breach.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

The report containing this deficiency also includes information about 1 other violation. Note that these may be related to the same event: 18VJ11.01