Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
QUEEN OF THE VALLEY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 6, 2013. Also cited in 17 other reports.
Report ID: 7R7T11, California Department of Public Health
Reported Entity: QUEEN OF THE VALLEY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of a patient's (Patient 1) medical information when it was sent to an insurance company to which Patient 1 was not subscribed to. This failure allowed the unlawful or unauthorized access to Patient 1's medical information. Findings:The California Department of Public Health was notified on 12/5/12 that a, "Breach of Protected Health Information (PHI)", occurred on 11/15/12.During an interview on 2/6/13 at 2:05 p.m., Administrative Staff A stated that he received notification, on 12/3/12, from Insurance Staff Member B, that they had mailed some of Patient 1's PHI to Insurance Company C instead of Patient 1's Insurance Company D in an attempt to get payment for services rendered. Administrative Staff A also stated that it was human error in that a template letter had been used by the Vendor without changing the previously used address for Insurance Company C.Administrative Staff A further stated that the delay between the breach occurrence, on 11/15/12, and the facility being notified, on 12/3/12, was due to the Insurance Staff B realizing that they had not heard from Patient 1's Insurance Company D and on calling them, was advised that nothing had been received for Patient 1 and subsequently reporting the breach to the facility.A review of the facility Policy and Procedure for "CONFIDENTIALITY" (2/3/11 ) reveals the following: "3.0 POLICY The protection of confidential, sensitive, and proprietary information is of critical importance to the facility, its work-force, and its patients. In addition, the safeguarding of patient information from unauthorized, inappropriate, and unlawful use and disclosure is required by law and is consistent with the values of the facility. Employees are required to follow all policies and procedures and the facilities Standards of Conduct regarding use and disclosure of business patient information, and to comply with all safeguards applicable to the employee's work area and the employee's scope of duty in order to ensure that business and patient information is safeguarded at all times..1.1.2 The employee will only use and disclose that patient information that is minimally necessary in order to accomplish the intended purpose of the use or disclosure..1.1.3 The employee will follow all facility policies and procedures and the facility's Standards of Conduct and take all precautions to prevent any intentional or unintentional use or disclosure of any trade secrets or confidential information about the facility, its employees, and its programs".A review of the facility pamphlet, given to all patients, for, "NOTICE OF PRIVACY PRACTICE" (no date) reveals the following: "We understand that medical information about you is personal. We are committed to protecting the privacy of medical information about you. In an effort to provide the highest quality medical care and to comply with certain legal requirements, we will and are required to: Keep your medical information private...Follow the terms of this notice."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280