RIVERSIDE COUNTY REGIONAL MEDICAL CENTER

Report ID: XK2M11, California Department of Public Health

Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER

Issue:

Based on interview and document review, the facility failed to ensure their (PHI) Protected Health Information was not disclosed to any entity not authorized to receive the information. This failed practice resulted in unauthorized access to Patient A's demographic information, and medical records.Findings:On January 17, 2013, an unannounced visit was made to the facility to investigate a self reported breach of PHI (protected health information). An interview was conducted with the facility's Compliance and Privacy Officer (PO), on January 17, 2013, at 10:30 a.m. The PO stated the breach occurred on November 2, 2012, when Patient B's insurance company requested Patient B's medical records. The wrong records were sent to the insurance company. The hospital sent Patient A's medical records to the insurance company. The employee that prepared the records, retrieved the wrong patient's records to be copied. The employee failed to use the two- identifier method to verify they had the right patient. Second, the contract company that delivered the records, also failed to use the two-identifier method to verify that they had the right patient's medical records. As a result, they copied, and delivered Patient A's records to Patient B's insurance company.The facility's policy and procedure titled, "Release of Information," was reviewed. The facility indicated under guidelines for completing the authorization completely, "Obtain the patient's name (verify that it is the name they were seen under), medical record number, date of birth, and social security number..."The facility failed to ensure Patient A's Protected Health Information was not disclosed to any entity not authorized to receive the information.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280