Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 9, 2014. Also cited in 46 other reports.
Report ID: TLWX11.01, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
Based on interview, and record review, the facility failed to notify the California Department of Public Health,(CDPH) within five business days of being made aware that a breach of protected health information (PHI) had occurred. This failure to report timely, had the potential for identity theft to occur,or for Patient A's protected health information (PHI)to be used in a manner not authorized by the patient. Findings:On April 9, 2014 at 1:30 PM, a visit was made to the facility to investigate an entity reported incident of a breach of PHI for Patient A. The breach occurred on March 5, 2014, but was not reported to CDPH, until March 18, 2014 (nine business days) after the facility was made aware that a breach had occurred. The facility also did not inform Patient A of the breach until March 18, 2014.During an interview with the Director of Quality (DOQ) on April 9, 2014 at 1:45 PM, she stated, "A clerk (Employee 1) went into the system that the physician Employee 1 worked for had been given access to, so that the physician could view his patients' laboratory and other results. In attempting to view her own laboratory results,Employee 1 inadvertently pulled up someone else's (Patient A's) information. Patient A and Employee 1 had the same name and date of birth. When Employee 1 saw the diagnosis on the demographic screen, she shut off the computer. Employee 1 told the office supervisor right away and she [the office supervisor] called and notified us [the facility] of what had happened."During further interview with the DOQ, when asked the reason for not reporting within the regulatory guidelines of five business days, she stated,"They [the physician's office staff] needed to be sure that they had the correct [used Patient A's name], since there were 15 [people with the same name] within the system." When asked the reason the facility had not notified CDPH when they identified that a breach occurred, the DOQ stated, "OK, next time we will do that."A review of the facility policy and procedure titled, "HIPAA Investigations (Health insurance portability and accountability act)," dated June 2012, indicated the, "Purpose was to identify a timely and succinct process to investigate and take action with potential or actual HIPAA privacy violations occurring at [name of hospital] and to meet legal timelines of reporting."The failure of the facility to report within the required timeframe of five business days, once they identified a breach had occurred for Patient A's PHI, placed Patient A at risk of identity theft, or misuse of her information by Employee 1 who shared the same name and birth date as Patient A, and had accessed Patient A's PHI without authorization.
Outcome:
Deficiency cited by the California Department of Public Health: HSC Section 1279