Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Enloe Medical Center
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 5, 2012. Also cited in 8 other reports.
Report ID: 0QL211, California Department of Public Health
Reported Entity: ENLOE MEDICAL CENTER
Issue:
Based on interview and document review, the facility failed to prevent the unauthorized access by Radiation Technician B to the medical records of one patient. (Patient 1)Findings:During an interview on 1/5/12 at 9:30 am, Administrative Staff A (Admin) verified that she had reported to the Department on 1/3/12 at 3:14 pm, the unauthorized access to the private health information (PHI) of Patient 1 by Radiation Technician (Rad Tech) B. Admin Staff A stated the facility became aware of the breach on 1/1/12 after Ultrasound Tech (Ultra Tech) D notified Admin Staff C. According to Ultra Tech D, Rad Tech B came into the radiology office area on 1/1/12, on her day off, and used her own login and password to access Patient 1's room number. Admin Staff A stated that Rad Tech B was Patient 1's daughter. Admin Staff A stated that, in addition to accessing Patient 1 ' s PHI on 1/1/12, the audit demonstrated that Rad Tech B had also accessed Patient 1's PHI on 11/28/11 and 12/6/11. Patient 1 was notified of the unauthorized breach by certified letter on 1/3/12. On 2/28/12, copies of the computer searches (query search) made by Rad Tech B for Patient 1 from 11/28/11 through 12/6/11 were reviewed. During this period Rad Tech B made two searches for Patient 1 in the facility's computerized patient information filing system (Meditech). The information accessed by Rad Tech B included Patient 1's demographics including her name, date of birth, physician's name, allergies, physician's orders, lab results, vital signs, diagnoses and various nursing assessments. On the dates that Rad Tech B accessed Patient 1's records, Rad Tech B was not assigned duties associated with Patient 1 or Patient 1's medical record. On 2/28/12 at 9:40 am, Admin Staff C verified that Rad Tech B's access to Patient 1's PHI was unauthorized. The facility's, "Patient Care Information System (PCIS), Internet and Electronic Communications" policy was reviewed. The policy indicated that employees are only authorized to access information on patients for whom they have responsibility. They must not access other patient information within the health system, inclusive of friends, relatives or acquaintances. The policy also read that "all new employees will receive a copy and sign the PCIS statement." On 6/7/00, Rad Tech B signed a facility, "Employee and Volunteer Statement of Confidentiality" and "Patient Care Information System (PCIS), Internet and Electronic Communications Statement" form certifying that she had, "read....understand its significance and importance, and agree to abide by it."
Outcome:
Fine imposed and deficiency cited by the California Department of Public Health: Health & Safety Code 1280