Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 28, 2014. Also cited in 123 other reports.
Report ID: XGYY11.01, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure all patient protected health information (PHI) was kept private, when Staff A accessed the record of Patient A, without a work related need to do so. This resulted in the unauthorized disclosure of Patient A's protected health information and Staff A's sharing the information with family members.Findings:On January 28, 2014, at 8:30 a.m., an investigation was conducted for this entity reported incident. On January 28, 2014, at 4:20 p.m., the Administrative Services Officer (ASO) was interviewed. The ASO stated Patient A was an inpatient on a medical/surgical unit where Staff A was assigned. Staff A, a relative of Patient A, accessed Patient A's electronic record even though she was not assigned to care for the patient. The ASO also stated Staff A had not received authorization from Patient A, to view the patient's record. The ASO stated an audit was conducted after the breach was reported and it was noted that Staff A accessed Patient A's record on multiple occasions without a work related purpose to do so.On April 14, 2015, a copy of the letter sent to Patient A was reviewed. The letter was dated August 21, 2013, and indicated: "...The Privacy Office was made aware of this disclosure on August 19, 2013...The disclosure occurred during your June 2013 and August 2013 inpatient stays. The disclosure occurred when a relative of yours accessed your electronic medical records..."A review of a document titled "Query of User Staff a for June 2013," indicated Staff A accessed Patient A's record on June 3, and 4, 2013. A review of a document titled "Query of User Staff a for August 2013," indicated Staff A accessed Patient A's record on August 12 and 13, 2013. The facility policy titled, "Patient Privacy: HIPAA (Health Insurance Portability and Accountability Act)," with a release date of August 27, 2013, was reviewed. The policy indicated: "Purpose: ...provides guidance on the protection of patient privacy." The policy further indicated: "Maintain the highest level of confidentiality for all patient protected health information and share it only with those who have a "need-to-know" according to their job duties and responsibilities...Access to PHI is limited to workforce members based on a need-to-know to perform their duties..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280