Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 22, 2014. Also cited in 123 other reports.
Report ID: MEVY11, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent unauthorized disclosure of protected health information (PHI) for one patient (Patient 1). Two employees accessed the medical record of Patient 1, who was also an employee, without a business need to do so. This failure resulted in an unauthorized person having access to Patient 1's PHI and the potential misuse of the information.Findings:On May 22, 2014, the Administration Services Officer (ASO), was interviewed. The ASO stated, on August 19, 2013, during an audit, it was discovered an employee (Patient 1) had accessed her own medical record. The ASO stated this was against hospital policy, and the employee should have gone through the proper procedure to request a copy of her medical record. At the same time, it was discovered that two other employees, that had no business reason, had also accessed Patient 1's medical record. The ASO stated the information the employees accessed contained the following PHI: Patient's name, date of birth, address, phone number, medical record number, social security number, dates of service, emergency room triage details, vital signs, and medical history.The ASO stated, during the investigation by Human Resources, the two employees denied accessing Patient 1's medical record. The employees did admit to leaving their computers unattended without logging-out, therefore, making it possible for others to potentially access the medical records. The ASO stated employees are required to log-out of their computers upon stepping away from their computers.The facility policy titled, "Patient Privacy: HIPAA," dated August 27, 2013, was reviewed. The policy indicated, "Access to PHI is limited to workforce members based on a need-to-know to perform their duties at RCRMC...Log-off computer terminals when leaving... Refer all request for release of medical records to the Medical Records Department..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280