MAMMOTH HOSPITAL

Report ID: 1MVZ11, California Department of Public Health

Reported Entity: MAMMOTH HOSPITAL

Issue:

Based on interview and record review the facility failed to ensure the confidential protected health information (PHI) of Patient A's when the ultrasound technician (Employee 1) released a CD (compact disk) with Patient A's ultrasound images to Patient B. This resulted on a breach of Patient A's protected health information.Findings:On November 13, 2014, at 8:45 AM, a phone interview was conducted with the Health Information Management System Manager/Privacy Officer (HIMAM/PO) regarding an entity reported incident of a breach of PHI for Patient A, on July 15, 2014. The ultrasound technician did not clear the cache on the ultrasound machine when the CD was burned so previous imges were transferred to CD. The images of Patient A was burned onto the CD along with Patient B's images.During a review of the description of information disclosed on the CD, it contained Patient A's 21 ultrasound images in JPG (type of computer picture) format and 12 video files on ultrasound images. The following information was also disclosed: Patient A's name, age, medical record number, and date/time of service.A review of the facility's policy and procedure titled, "Release of Protected Health Information," dated March 29, 2013, indicated, "A covered entity may not use or disclose PHI without a valid authorization from the patient."The failure of Employee 1 to verify the ultrasound images on the CD only belong to Patient B, resulted in the unauthorized release of Patient A's PHI to Patient B.

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights