Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
LOMA LINDA UNIVERSITY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 26, 2014. Also cited in 44 other reports.
Report ID: QQ3F11, California Department of Public Health
Reported Entity: LOMA LINDA UNIVERSITY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure their policy and procedures (P&P) for sending patient health information (PHI) via fax were followed when a case management discharge planner (CMDP) did not verify the name and number of the intended recipient prior to sending medical records via fax for Patient A. This resulted in a third party receiving medical records which contained PHI for Patient A without authorization.Finding:On December 11, 2014 at 10:58 AM, a phone interview was conducted with the Director-Compliance, Privacy and Security (DCPS) regarding an entity reported incident of a breach of PHI for Patient A, detected on November 12, 2014. The DCPS stated the fax number should be confirmed before hitting the send button, they need to pay attention. When asked if there was something not done to prevent this breach, the DCPS stated it was "human error"; the wrong number was typed in. The DCPS stated additional training was given to the CMDP. In record review it was determined Patient A was notified via mail of the breach on November 18, 2014 of their PHI.During a review of Patient A's clinical record, the documentation included Patient A's name, date of birth, age, address, patient identification number, admission information including admitting diagnosis. The documentation also contained emergency contacts, guarantor information, coverage and provider information, medical record number, physical therapy treatment progress note, history and physical, surgery documentation, internal medicine progress note, laboratory data, medication list, allergies, active problem list, past medical history, and orthopedic surgery note.A review of the facility policy and procedure titled, "Fax Security," dated June 2013, the policy indicated, "Prior to pushing "Send/Start/Go" on the fax machine, the sender shall confirm that the number dialed is correct."The failure to ensure the fax number was correct by the CMDP before faxing medical records resulted in the unauthorized release of PHI for Patient A to an unintended third party.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights