Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
MAMMOTH HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on September 27, 2013. Also cited in 15 other reports.
Report ID: OPRP11, California Department of Public Health
Reported Entity: MAMMOTH HOSPITAL
Issue:
Based on interview and record review, the facility failed to protect patient rights regarding maintaining the privacy and confidentiality of patients protected health information (PHI), when Patient B was given a compact disc (CD) that contained Patient A's PHI without authorization . FINDINGS:On August 7, 2013, a phone interview was conducted with the facility privacy officer (FPO) to investigate an entity reported incident of a possible breach of PHI. On September 27, 2013, a review was conducted of the entity reported incident. The Facility investigation was also reviewed which revealed that on April 12, 2010, Patient B, called the facility to inform them that on April 11, 2010, when Patient B was discharged from the emergency department (ED), Patient B was given an unauthorized copy of a CD (compact disc) which contained Patient A's PHI. During a review of the facility investigation, it was revealed that the CD, containing Patient A's PHI, included the following: name, medical record number, date of birth, and x-ray images of Patient A's knee, chest, and scapula. On November 22, 2013, at 10:00 AM, a phone interview was conducted with the FPO, who confirmed the incident. He stated that Employee 1 had been verbally counseled regarding the incident, as well as re-educated on facility training Module-Protecting PHI. He further stated that Employee 1 had received PHI, confidentiality training on September 15, 2009, May 25, 2010, April 13, 2011, March 22, 2012, and February 11, 2013. On September 27, 2013, a review was conducted of the facility's policy and procedure (P&P), "Emergency Department Release of Information," revised October 17, 2005. It revealed the following:"The purpose of the P&P was to ensure that the patient health record is maintained and handled in a secure and confidential manner, while adhering to all applicable federal and state laws.PHI shall be made available upon request to authorized persons in order to provide continuity of care and to allow for the necessary operations of (facility name)Emergency Department staff are responsible to release information regarding patient's current emergency department (ED) visit to the patient upon leaving the ED or when transferring the patient to another facility for continuing patient care."The Facility failed to protect patient rights, regarding maintaining the privacy and confidentiality of PHI, which resulted in Patient A's PHI being released without authorization to Patient B.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights