Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Ukiah Valley Medical Center
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 7, 2013. Also cited in 31 other reports.
Report ID: OVPU11.01, California Department of Public Health
Reported Entity: UKIAH VALLEY MEDICAL CENTER/HOSPITAL D
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of three patient's (Patient 1, Patient 2 and Patient 4) protected health information (PHI), when some of Patient 1 and 4's medical information was faxed to the wrong parties, and some of Patient 2's information was handed to Patient 3. These failures allowed the unlawful or unauthorized access to protected health information.Findings:(CA00323892)The California Department of Public Health was notified on 8/29/12, that a, "Breach of Protected Health Information (PHI)," occurred on 8/23/12.During an interview on 2/15/13 at 10 a.m., Administrative Staff A stated that she received notification, from the [Wrong Party] on 8/24/12, that they had received a faxed copy of Patient 1's PHI, on 8/23/12. Patient 1's information included, name, gender, date of birth, diagnosis, two physician names, medications, allergies, physical exam results, lab results, colonoscopy/endoscopy report/findings, emergency department report, CT results, thyroid scan results, ultrasound reports, account number, and medical record number.Administrative Staff A also stated that it was a human error on the part of Licensed Staff B, in that he faxed, Patient 1's PHI to the [Wrong Party[ instead of Patient 1's Health Provider, while rushed. Patient 1 was informed of the breach, by mail, on 8/30/12, four business days after the facility became aware.(CA00325924)The California Department of Public Health was notified on 9/17/12, that a, "Breach of Protected Health Information (PHI,), occurred on 9/11/12.During an interview on 2/15/13 at 10 a.m., Administrative Staff A stated that she received notification, from the emergency room department, on 9/12/12, that Patient 3 had come in on 9/12/12, and returned a work note for Patient 2, with Patient 2's name on it, that she had been given on 9/11/12. Patient 2's information included, name, reason for being off, and Physician's name.Administrative Staff A also stated that it was an error on the part of Licensed Staff C in that she had seen both patients and not double checked the patient's identity with the name on the work excuse. Patient 2 was notified of the breach on 9/24/12, eight business days after the facility became aware.(CA00333070)The California Department of Public Health was notified on 11/13/12, that a, "Breach of Protected Health Information (PHI)," occurred on 9/10/12.During an interview on 2/15/13 at 10 a.m., Administrative Staff A stated that she received notification, from the [Wrong Employer] on 10/12/12, that they had received a faxed copy of Patient 4's PHI. Patient 4's information included, name, gender, date of birth, and drug screen lab results. Administrative Staff A also stated that the error occurred, on 9/10/12, when Unlicensed Staff D registered Patient 4 with the [Wrong Employer name] instead of Patient 4's Employer name, and when the bill was sent out by Unlicensed Staff E, she did not catch the discrepancy.Administrative Staff A further stated that it was a human error on the part of Unlicensed Staff D in that she selected the wrong employer from the drop down box during registration.Patient 4 was informed of the breach, by mail. on 10/12/12, the day the facility became aware.A review of the facility Policy and Procedure for, "USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION" (5/14/10), indicated the following: "AFFECTED DEPARTMENTS/SERVICES: 1. All Corporate Office Departments 2. System-Wide Facilities...POLICY: COMPLIANCE-KEY The facility communities and patients will benefit from a system wide, standard approach to Privacy Rule compliance.....A. Permitted Circumstances For Use And Disclosure Of PHI Under the Privacy Rule, facility entities are permitted to use or disclose PHI when: 1. The disclosure is to the individual to whom the PHI pertains."A review of the facility Policy and Procedure for, "MAILING AND FAXING PROCEDURES" (11/10), indicated the following:"AFFECTED DEPARTMENTS/SERVICES: 2. Hospital wide. POLICY:...2. Fax: Patient medical information, which is faxed between and outside the hospital campuses, has greater potential for invasion of privacy than that sent by mail or personal delivery. Safeguards need to maintained to insure proper transmittal and receipt of information."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280