Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
LOMA LINDA UNIVERSITY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 13, 2014. Also cited in 44 other reports.
Report ID: C46L11.01, California Department of Public Health
Reported Entity: LOMA LINDA UNIVERSITY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI) when a Registered Nurse (RN 1) gave Patient A's lab order document to Patient B. This resulted in an unauthorized disclosure of Patient A's PHI.Findings:On November 14, 2014 at 12:50 PM, a phone interview was conducted with the Director of Compliance, Privacy and Security regarding an entity reported incident of a breach of Patient A's PHI detected by the facility on May 13, 2014. The Director of Compliance, Privacy and Security stated that RN 1 gave Patient A's lab order document which contained Patient A's name, medical record number, date of birth, phone number, address, group number, lab order names, and diagnosis to Patient B.The Director of Compliance, Privacy and Security stated that Patient A was notified of the breach of PHI on May 16, 2014.On December 17, 2014 at 1:00 PM, a phone interview was conducted with the Clinical Director of the Liver Program and the immediate supervisor of RN 1. The Clinical Director explained that lab orders are generated by printing them from the computer and RN 1 gave Patient A's lab order document to Patient B. The Clinical Director stated that RN 1 did not double check the document prior to giving it to Patient B.RN 1 resigned and was not able to be interviewed.A copy of the letter sent to Patient A, dated May 16, 2014, informing him about the breach of PHI was reviewed.A review of Patient A's lab order document indicated the PHI of Patient A included his name, medical record number, date of birth, phone number, address, group number, lab order names, and diagnosis.A review of RN 1's educational document indicated training in compliance, medical identity theft prevention, HIPAA competency, disclosures of protected health information, information security and confidentiality. A document titled "Confidentiality Statement" was signed by RN 1 and dated January 24, 1997.A review of the facility's policy and procedure titled "Patients' Rights, Protection of Patient Privacy" dated May 2013 indicated "All Medical Center employees, ...shall be responsible for maintaining the confidentiality of patient information. This responsibility shall include personal observations, oral conversations, the designated record set and its contents, and any other electronically stored or written patient or patient-related data.The facility failed to ensure the correct medical document was given to the correct patient resulting in an unauthorized release of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights