Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
EISENHOWER MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 21, 2014. Also cited in 279 other reports.
Report ID: 15911.01, California Department of Public Health
Reported Entity: EISENHOWER MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent unauthorized disclosure of PHI (Protected Health Information) for one Patient (Patient A) when her PHI was discovered by laboratory technicians, on documents given to Patient B. This failed practice resulted in unauthorized persons having access to Patient A's PHI, and the potential for its misuse.Findings:On December 24, 2013, the California Department of Public Health (CDPH) was notified that the facility "believed it has sustained an inadvertent privacy breach..." During an interview with the facility PO (Privacy Officer) on January 21, 2014, at 10:45 a.m., the PO stated a laboratory order form given to Patient B, contained Patient A's name, date of birth, physical address, and primary insurance carrier. The PO stated Patient B presented the form to the laboratory technician, as an order for lab work. The technician reviewed the document and discovered the error. The PO was notified about the privacy breach, on December 17, 2013. A review of the document submitted by Patient B to the laboratory contained Patient A's name, date of birth, physical address and insurance carrier. The facility policy titled, "HIPAA - Use and Disclosure of Protected Health Information," was reviewed. The policy indicated the following:a. The confidentiality of PHI contained in records and collected pursuant to treatment would be protected to the fullest extent possible; and,b. To maintain confidentiality, staff could not disseminate PHI unless it was pursuant to a valid request or a valid authorization.c. PHI included individually identifiable health information. Information was considered PHI when there was a reasonable basis to believe the information can be used to identify a individual. The facility policy titled, "Information Privacy," was reviewed. The policy indicated the following:a. An unauthorized disclosure was the release of information to parties without a purpose for the information.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280