Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VALLEY CHILDREN'S HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 16, 2014. Also cited in 40 other reports.
Report ID: Z89J11, California Department of Public Health
Reported Entity: CHILDRENS HOSPITAL CENTRAL CALIFORNIA
Issue:
Based on staff interview, facility and administrative document review, the facility failed to keep Protected Health Information (PHI) confidential for 14 patients when:1. A facility "Transplant Donor Report" was faxed to a private individual. The report contained the PHI of Patients 1-13. (CA00397308)2. An email, with Patient 14's PHI, intended for Insurance Company "A" was sent to Insurance Company "B". (CA00396532) These failures placed Patient 1-14's PHI at a potential for unauthorized use. Findings:CA003973081. On 5/16/14 at 3:10 p.m., during an interview, the Privacy Officer (PO) stated on 7/8/13 the Request of Information Coordinator (RoI) faxed a facility report, "Transplant Donor Report", to a private individual instead of the intended recipient. The PO stated the RoI failed to verify the fax number prior to transmitting the fax. She stated the RoI should have verified the fax number. The PHI disclosed included Patient 1-13's name, medical record number, and diagnoses.The facility policy and procedure titled, "Patient Rights and Services", dated 8/ 2011, indicated, "...All information that is deemed confidential by [hospital] and/or by specific legal statutes shall be kept confidential and shall not be copied, electronically accessed, transmitted or removed from Hospital premises under any circumstances whatsoever...."The facility policy and procedure titled "Facsimile Machines", dated 8/2011, indicated, "... All individuals using a facsimile machine to transmit either patient or organizational information will be accountable for ensuring that the information is transmitted to the appropriate destination.... Procedure...2. Sending a Facsimile to External Parties. A. ...When confidential information is faxed to a destination number that is not pre-programmed, the fax machine operator shall be responsible for double checking the accuracy of the number in the machine's display before sending the fax..." CA003965322. On 5/16/14 at 3:23 p.m., during an interview, the Privacy Officer (PO) stated the Supervisor of Admitting (SoA) sent an email, containing Patient 14's PHI, to Insurance Company "B" instead of the patient's insurance company. The PO stated the SoA did not verify which Insurance Company should have received Patient 14's PHI. The PO stated the SoA should have verified the name of the correct Insurance Company prior to sending the email. The PHI disclosed included Patient 14's name and date of service.The facility policy and procedure titled, "Patient Rights and Services", dated 8/ 2011, indicated, "...All information that is deemed confidential by [hospital] and/or by specific legal statutes shall be kept confidential and shall not be copied, electronically accessed, transmitted or removed from Hospital premises under any circumstances whatsoever...."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights