Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ALVARADO HOSPITAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 1, 2013. Also cited in 14 other reports.
Report ID: LRF811.02, California Department of Public Health
Reported Entity: ALVARADO HOSPITAL MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to safeguard protected health information (PHI- is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual) from unauthorized person(s) in accordance with their policies and procedures, for 1 of 1 sampled patients (Patient 1). Patient 1's confidential patient information was faxed inadvertently to a lawyer's office (unintended recipient).Failure to follow the hospital's faxing of information policy led to the inadvertent and unauthorized disclosure of Patient 1's confidential and protected health record. This failure was also a violation of Patient 1's right to confidentiality of all communications and record pertaining to health care received at the hospital.Findings: On 6/17/13 at 11:10 A.M., the hospital reported to the California Department of Public Health that a fax transmission intended for another hospital was sent in error to the wrong fax machine and was received by a lawyer's office.Patient 1 was admitted to the hospital on 5/14/13 per the Facesheet. A review of Patient 1's medical record was conducted on 8/1/13 at 11:02 A.M. Patient 1's medical record (21 pages) that were inadvertently faxed to the wrong recipient contained the following confidential patient information: patient name, date of birth, medical record number, account number, admission/discharge information, emergency contact person information, health insurance information, discharge medication list, allergies, physical exam findings, history and physical (H&P), past surgical procedures, diagnoses, progress note entries, multiple lab results, electrocardiogram results (a test that shows any problems with the electrical activity of the heart) and radiology findings/impressions.A telephone interview was conducted with the health information management lead (HIML) on 12/4/14 at 3:30 P.M. The HIML stated that she recalled this inadvertent breach of confidential PHI by a copy service staff (CSS 1). Per the HIML, CSS 1 worked for [company name] that was contracted by the hospital to provide a copy service of records and documents. The hospital did not have a contract with this company therefore, CSS 1 could not be interviewed. HIML stated that CSS 1 did not verify the fax number before faxing Patient 1's confidential medical record (21 pages) to the intended recipient. She acknowledged that CSS 1 did not follow the hospital's faxing policy when she did not verify the fax number of intended recipient which led to the inadvertent disclosure of Patient's PHI.According to the hospital's policy titled "Faxing of Information", dated 2/13, the policy's purpose was "To prevent improper disclosure of patient or administrative information and to protect patient confidentiality while faxing information." Per the same policy under procedure for faxing clinical information, it stipulated to "Verify fax number with intended recipient."According to the hospital's policy titled "HIPAA (Health Insurance Portability and Accountability Act - a law designed to protect the confidentiality and security of patient/healthcare information) Privacy Rule", dated 9/26/11, the policy indicated that required disclosures "... must disclose protected health information in only two situations:1. to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and 2. to HHS (Health and Human Services) when it is undertaking a compliance investigation or review or enforcement action."An interview with the Privacy Officer was conducted on 12/4/14 at 4:30 P.M. The Privacy Officer acknowledged that an unauthorized disclosure of confidential patient information occurred when 21 pages of Patient 1's health record were faxed to a lawyer's office (unintended recipient).
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights