Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
EL CENTRO REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 24, 2015. Also cited in 38 other reports.
Report ID: 6F2M11, California Department of Public Health
Reported Entity: EL CENTRO REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to safeguard protected health information (PHI- is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual) from unauthorized person(s) in accordance with their policies and procedures, for 1 of 1 sampled patients (Patient 1). A social worker (hospital employee - SW 1) accessed her family member's medical record (Patient 1) without a direct business need. This act was not in compliance with the hospital's policy.Failure to ensure that the staff followed and implemented hospital's Access to and Maintenance of the Health Record policy led to a breach when SW 1 accessed Patient 1's medical record for her own personal purpose. This failure was also a violation of Patient 1's right to confidentiality of all communications and record pertaining to health care received at the hospital.Findings: On 7/17/15 at 1:02 P.M., the hospital reported to the California Department of Public Health (CDPH) that a potential event of unlawful or unauthorized access or use of patient medical information occurred. The hospital reported that SW 1 did not have a direct need to access Patient 1's record nor did she have written consent to do so.Patient 1 was admitted to the hospital's Emergency Department (ED) on 7/12/15 per the Facesheet.An attempt to interview SW 1 was made on 7/24/15. The Compliance Manager (CM 1), who was also the Privacy Officer, stated that SW 1 was not available to be interviewed.An interview and joint document review with CM 1 was conducted on 7/24/15 at 10:03 A.M. CM 1 explained that the hospital confirmed through an audit that SW 1 accessed Patient 1's medical record in the ED without a business need. The Audit Log, with an arrival date of 7/12/15, was reviewed. The Audit Log revealed that SW 1 accessed Patient 1's medical record in the ED on 7/12/15 at 1:14 P.M. - 1:19 P.M., and then again on 7/12/15 at 1:32 P.M. According to the Audit Log, the following confidential patient health information was accessed by SW 1: patient summary, order page, printed orders, chart, order results, nurses' notes, nurse triage notes, physician chart, home medication form, registration which included patient's name, date of birth, address, chief complaint, room number, account number, physician name, past medical history, treatment and procedures.According to CM 1, on 7/24/15 at 11:31 A.M., the hospital's staffing system was checked. The staffing system confirmed that SW 1 worked on 7/12/15 from 10:59 A.M. to 6:02 P.M. The hospital's Audit Log showed that SW 1 accessed Patient 1's medical record in the ED on two occasions on 7/12/15, during the time that SW 1 was working at the hospital.According to the hospital's policy titled "Access to and Maintenance of the Health Record", dated 3/28/13, indicated that "All individuals engaged in the collection, handling or dissemination of patient health information should protect the confidentiality of patient data...." Per the same policy, it stipulated that "Health records shall be available for use within the facility for direct patient care by all authorized personnel who have a legitimate need for access to the health record."According to the hospital's policy titled "Rights and Responsibilities; Patient", dated 4/9/13, indicated that "... the hospital shall provide processed support <for> the following patient rights." Per the same policy, one of the rights stipulated that "To receive confidential treatment of all communications and records pertaining to the care and the stay in the hospital. The patient will receive a separate [Notice of Privacy Practices] that explains their privacy rights in detail and how we may use and disclose their protected health information...."An interview with the Lead Case Management Manager (LCMM) was conducted on 11:18 A.M. LCMM stated that he was currently covering for the Director of Case Management. LCMM stated that he had direct oversight over social workers and case managers at this time. LCMM stated SW 1 should not have accessed Patient 1's medical record in the ED because she did not have a business need to do so. He acknowledged that SW 1 did not follow the hospital's Access to and Maintenance of the Health Record policy.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights