Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 6, 2014. Also cited in 62 other reports.
Report ID: 5WJJ11.01, California Department of Public Health
Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER
Issue:
Based on staff interview, clinical, and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential for 2 of 2 Patients (Patients 1 and 2) when:1. Patient 1's medication, labeled with PHI, was delivered by Home Health delivery driver to the wrong patient. (refer to CA00360409).2. Patient 2's PHI was breached when Licensed Nurse (LN) 1 shared Patient 2's diagnosis with LN 2 without a business need to know. (refer to CA00361140).This failure resulted in unauthorized access to Patient 1 and 2's PHI and the potential for abuse of that information.Findings:Refer to CA00360409.1. On 01/06/2014 at 11:40 a.m., during an interview, the Privacy Officer (PO) stated that on 06/25/2014 the PO was notified that a Home Health delivery truck driver had mistakenly left an IV bag at the home of the wrong patient. Patient 1's name, address and information relating to the prescription were on the IV bag. The PO stated the delivery truck driver failed to verify the correct patient received the correct intravenous IV medication, resulting in a breach of PHI.Patient 1's PHI breached included name, home address and patients medication.The hospital policy and procedure titled "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/18/12 indicated, "III: A. It is the policy of [Hospital] to protect the privacy and security of patients information and to comply with applicable laws and regulations. III Guidelines: B. [Hospital] Privacy Policies and Procedures: 1. [Hospital] and its workforce members must comply with ... state and federal laws and regulations." C. Protecting the Privacy, "Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes, only the minimum necessary information is used or disclosed for any purpose, and only persons who have been authorized by [Hospital] may use or disclose PHI." Refer to CA00361140.2. On 01/06/2014 at 11:50 a.m., during an interview, the Privacy Officer (PO) stated that on 06/27/2013 she was notified by the Director of Cardiology that on 06/26/2013 LN 1 inappropriately disclosed clinical findings related to Patient 2's hospitalization on 06/14/2013 to LN 2. Licensed Nurse 2 had no business need to know. Licensed Nurse 2 inappropriately stated to Patient 2, " I heard you have a leaky valve and get sick easily." The hospital policy and procedure titled "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/18/12 indicated, "III: A. It is the policy of [Hospital] to protect the privacy and security of patients information and to comply with applicable laws and regulations. III Guidelines: B. [Hospital] Privacy Policies and Procedures: 1. [Hospital] and its workforce members must comply with ... state and federal laws and regulations." C. Protecting the Privacy, "Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes, only the minimum necessary information is used or disclosed for any purpose, and only persons who have been authorized by [Hospital] may use or disclose PHI."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights