Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CLOVIS COMMUNITY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 10, 2014. Also cited in 27 other reports.
Report ID: 77VS11, California Department of Public Health
Reported Entity: CLOVIS COMMUNITY MEDICAL CENTER
Issue:
Based on staff interview, and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's medical information was accessed by an unauthorized employee. (refer to CA00371860).2. Patient 2's medical information was given to Patient 3 on discharge. (refer to CA00369598).3. Patient 4's identification label containing PHI was placed on Patient 5. (refer to CA00370439). 4. Patient 6's medical record was accessed by an unauthorized employee. (refer to CA00369744).This failure resulted in unauthorized access to Patient's 1,2,4, and 6's PHI and the potential for abuse of that information. Findings: Refer to CA00371860.1. On 1/10/14 at 9:29 a.m., Staff 1 (Privacy Officer) stated on 9/26/13 she was informed by Patient 1 that a co-worker had accessed her medical information and shared it with others. The office staff stated "Employee should not have used the Epic system to view personal information regarding a co-worker.Patient 1's PHI included name, address, date of birth, gender, social security number, medical record number, account numbers and clinical information related to hospital visit.The hospital's Epic Care Link User Terms and Conditions contract for Physician Offices indicates "You may only use or download patient information contained on the portal for the following purposes and only to the extent permissible under all applicable laws regarding the privacy of patient information: (i) for treatment of patients under your care." .The hospital's [policy and procedure titled] "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/08/12 indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which include employees, trainees, students, volunteers, and other designated persons."Refer to CA00369598.2. On 1/10/14 at 9:45 a.m., during an interview, the PO stated the nurse discharged Patient 3 with paperwork that included prenatal information from Patient 2's physician's office. The prenatal information included Patient 2's PHI. The PO stated the nurse should have double checked the paperwork for patient identification before giving it to Patient 3, but this was not done.Patient 2's PHI breached included name, date of birth, diagnoses, medications, lab results, and details of her prenatal office visits (vital signs, and progress of her pregnancy).The hospital's [policy and procedure titled] "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/08/12 indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which include employees, trainees, students, volunteers, and other designated persons."Refer to CA00370439.3. On 1/10/14 at 9:55 a.m., during an interview, the PO stated a hospital employee (Admitting /Registration Department) placed an armband on Patient 5 with Patient 4's information. Hospital policy requires that employees confirm with the patient that the armband reflects the correct patient name, correct spelling of the name and patient date of birth, but this was not done. Patient 4's breached information included name, date of birth, gender, medical record number and account number related to patient's hospital visit on 9/10/13.The hospital's [policy and procedure titled] "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/08/12 indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which include employees, trainees, students, volunteers, and other designated persons."Refer to CA00363744.4. On 1/10/14 at 10:15 a.m., during an interview, the PO stated on 9/09/13 the wife of Patient 6 telephoned the hospital and spoke with the House Supervisor (HS) stating that ex-wife is an employee and had accessed ex-husbands hospital records. Privacy Officer stated she had completed an audit on Patient 6's records and confirmed that ex-wife had accessed Patient 6's records in violation of hospital policy. There was no need to know for business reasons.Patient 6's breached information included name, date of birth, gender, address and clinical information for hospitalization on 9/09/13.The hospital's [policy and procedure titled] "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/08/12 indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which include employees, trainees, students, volunteers, and other designated persons."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights