Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
EL CENTRO REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 10, 2015. Also cited in 38 other reports.
Report ID: FZ4111, California Department of Public Health
Reported Entity: EL CENTRO REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to ensure that patient information found on a daily insurance report was used only for business purposes, for 1 of 1 sampled patients (1). A case manager (CM 1) did not implement the hospital's Access to and Maintenance of the Health Record policy when she used patient information on a daily insurance report for her own personal use and without a business need.Failure to ensure that staff followed and implemented hospital policy related to the access and maintenance of health record led to the misuse of patient information and a breach during a patient's hospitalization. Findings: On 7/8/15 at 1:56 P.M., the hospital reported to the California Department of Public Health (CDPH) that an unauthorized use of patient medical information had occurred when CM 1 reviewed a hospital list, found a friend who was a hospital patient and visited the friend/patient (Patient 1) in the obstetrics (a branch of medicine concerned with childbirth and the care of women giving birth) unit.Patient 1 was admitted to the hospital's obstetrics unit on 7/1/15 per the Facesheet.An interview with CM 1 was conducted on 7/10/15 at 10:49 A.M. CM 1 stated that as a case manager her daily workload included downloading and reviewing hospital reports prior to performing their assigned tasks. On 7/1/15, she recalled downloading reports specifically the insurance report because she had seen her friend's name on it (Patient 1's name who also was a hospital employee). She stated that after seeing Patient 1's name on the report, she proceeded to go to the obstetrics unit to visit her friend (Patient 1). She acknowledged that she used patient medical information found on a hospital report for her own personal use and without a business need.The hospital's policy titled "Access to and Maintenance of the Health Record", dated 3/28/13, indicated that "All individuals engaged in the collection, handling or dissemination of patient health information should protect the confidentiality of patient data. Cases of suspected violations of confidentiality, of protected health information, will be investigated by the department supervisor, privacy officer and HR (Human Resources) director and the employee could be subjected to the disciplinary process which includes written warning, suspension and/or termination. Each employee shall indicate understanding of this policy through a signed statement at the time of employment kept with the employee's personnel record." Per the policy, it stipulated that "Direct access to patient health care records for operational functions including billing shall be limited to the minimum necessary to achieve a job function or purpose."According to the hospital's policy titled "Protected Health Information Breach", dated 7/8/15, the policy defined breach as "... an impermissible and unauthorized use or disclosure under the HIPAA (Health Insurance Portability and Accountability Act - a law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers) Privacy Rule that compromises the security or privacy of PHI (protected health information) such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual."An interview with the Director of Case Management (DCM) was conducted on 7/28/15 at 11:22 A.M. The DCM acknowledged that CM 1 used patient medical information from a hospital list without a business need. An interview with the Compliance Manager (Privacy Officer) was conducted on 7/24/15 at 11:10 A.M. The Compliance Manager stated that CM 1 inappropriately used patient information found on a hospital list. The Compliance Manager acknowledged that CM 1 did not follow the hospital's Access and Maintenance of the Health Record policy.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights