Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
EISENHOWER MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 22, 2014. Also cited in 279 other reports.
Report ID: 5C2211.03, California Department of Public Health
Reported Entity: EISENHOWER MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to notify Patient A, within five days after a disclosure of protected health information (PHI) was detected. Patient A's full name, date of birth, and medication list were inadvertently disclosed to Patient B on January 3, 2014. The facility became aware of the breach on January 3, 2014 and notified Patient A on January 20, 2014,notified the Department on January 20, 2014, 17 days later and 10 days after the mandated timeframe for the facility to report the detection. This resulted in a delay in the notification of CDPH and a possible delay in the investigation of the unauthorized disclosure of Patient A's PHI. Findings:On January 20, 2014, the facility notified the Department, via facsimile, that Patient A's PHI had been inadvertently released to an unintended recipient. On January 22, 2014, 2:45 p.m., a facility Privacy Officer (PO), was interviewed. The PO stated a privacy breach had occurred on January 3, 2014, but her department was not made aware of the incident until January 20, 2014. The PO stated the privacy office reported the incident as soon as they became aware, but a manager and charge nurse were aware of the incident on January 3, 2014. The PO stated the breach should be communicated to the patient within 5 days of its detection. A copy of the letter, sent to Patient A was reviewed. The letters indicated "..The purpose of this letter is to notify you that a portion of your medical record, specifically an office visit summary containing your name, date of birth, and medical list was inadvertently handed to another patient." Patient A was notified, about the unauthorized disclosure of PHI, via standard mail, on January 20, 2014, (10 calendar days after the required notification of five business days).The facility policy and procedure titled "Information Privacy," reviewed/revised December 19, 2011, revealed:"5. The Information Privacy Officer will contact the patient within (5) five days of discovery to inform him or her of the unauthorized access, use or disclosure and the plan or step's (sic) taken to mitigate it."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280