Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
EISENHOWER MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 7, 2014. Also cited in 279 other reports.
Report ID: RU0611.01, California Department of Public Health
Reported Entity: EISENHOWER MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent the unauthorized access and/or disclosure of Patient A's protected health information (PHI), when an arm band imprinted with Patient A's PHI was placed on the arm of a different and unintended patient with the same name. This had the potential to result in the misuse of Patient A's private demographics and health information.Findings:On May 7, 2014, at 10 a.m., an investigation was conducted for this entity reported incident.On March 13, 2014, the Information Privacy Officer (IPO) was interviewed. The IPO stated on February 26, 2014, an unauthorized disclosure of Patient A's PHI occurred when another patient received an arm band intended for Patient A. The arm band contained Patient A's name, date of birth, and the patient's medical record number.On July 14, 2014, a review of the facility policies titled, "Patient Identification Policy and Procedure," with last reviewed/revised date of January 2, 2014, indicated the following:"Purpose:To accurately identify the individual as the person for whom the service or treatment is intended and to match the service or treatment to that individual at (name of hospital ) Medical Center.Scope and Applicability:1. Patient identification at (name of hospital) Medical Center must be performed utilizing at least two of the following patient identifiers prior to any examination, provision of services, communication, treatment or procedure.-Patient first name and last name (checking correct spelling, utilizing active verbal confirmation by asking the patient to spell their name when possible).-Patient birth date utilizing active verbal confirmation when possible.-Medical record number, when patient is not able to communicate.Procedure:4. Patient registration or designated person will apply and secure the identification bracelet on the patient, confirming the correct patient name and patient birth date at the time of the encounter."An additional Policy and Procedure titled, "HIPPA Use and Disclosure of Protected Health Information," dated and revised, November 17, 2013, indicated the following:"Purpose:To define whether use or disclosure of Protected Health Information (PHI) is required, permitted, or subject to authorization requirements; to provide direction to staff regarding when patient authorization is required for use or disclosure of PHI; and to provide direction to staff regarding when PHI may be used or disclosed without patient authorization:Policy:It is the policy of (name of hospital) Medical Center that the confidentiality of Protected Health Information contained in records and collected pursuant to treatment will be protected to the fullest extent possible. To maintain this confidentiality (name of hospital) staff may not disseminate PHI unless it is pursuant to a valid request, a valid authorization or a legally recognized exception to this requirement.Permitted Uses and Disclosures1. For purposes of treatment, payment, operations ("operations" includes education).Permitted uses and disclosures for verbal communication given the opportunity to agree or object.2. Persons assisting in the patient's care".
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280