RIVERSIDE COUNTY REGIONAL MEDICAL CENTER

Report ID: J5UV11, California Department of Public Health

Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to ensure for two (2) patients (Patient A and B) that their protected health information (PHI) was not disclosed to an entity who was not authorized to receive the information. This failure resulted in unauthorized access to Patient A and B's PHI when a physician's notebook containing the patient information was stolen.Findings:An interview was conducted with the Administrative Services Officer (ASO) on February 10, 2014, at 10:45 a.m. to investigate a breach of PHI for Patient A and B. The ASO stated the facility was notified on December 23, 2013, a breach occurred on December 17, 2013, (time unknown) regarding Patient A and B. The ASO stated a paper notebook containing Patient A and B's names, medical record numbers, phone numbers, and the physical symptoms the patients exhibited was stolen from a physician's car. The ASO stated the physician should not have had the patients' PHI written on a notebook or left the notebook unattended in the car. The ASO further stated Patient A and B were informed by letter on December 26, 2013, of the breach.The facility's policy and procedure titled, "Patient Privacy, Confidentiality, Medical Records, And Access To, Or Release Or Disclosure Of, Patient Information," revised January 2, 2009, was reviewed. The policy indicated "To protect patient's rights to privacy and security of their healthcare information and to establish the criteria and the methods by which patient healthcare information may be accessed, used, released, or disclosed. [Facility Name] and it's personnel shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access use, or disclosure."

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280