Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 13, 2014. Also cited in 62 other reports.
Report ID: Y0B311.01, California Department of Public Health
Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER
Issue:
Based on staff interview, and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's face sheet was included with the discharge papers given to Patient 2. (refer to CA00376276).2. Patient 3's medical claim form was mailed to the wrong insurance company. (refer to CA00377803).3. Patient 4's medical claim form was sent to a physician's office instead of the intended insurance company. (refer to CA00378498).4. Patient 5's electronic medical record was inappropriately accessed on two separate occasions by different staff without a business need to know. (refer to CA00380714).These failures resulted in unauthorized access to Patient 1, 3, 4 and 5's PHI and the potential for abuse of that information.Findings:Refer to CA00376276.1. On 01/13/2014 at 4:00 p.m., during an interview, the Privacy Officer (PO) stated LN 1 gave Patient 2 the face sheet for Patient 1. Licensed Nurse 1 should have verified the correct names on the discharge papers, but this was not done.Patient 1's PHI breached included name, date of birth, gender, address, insurance information, medical record number, account number and clinical information related to hospitalization on 11/01/2013.The Hospital's Policy and Procedure titled "HIPAA General Rules for the Use and Disclosure of PHI", dated 4/18/12, indicated "...C. Protecting the Privacy 1. Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes, only the minimum necessary information is used or disclosed for any purpose, and only persons who have been authorized by [hospital] may use or disclose PHI."2. Refer to CA00377803.On 01/13/2014 at 3:45 p.m., during an interview, the Privacy Officer (PO) stated that staff in Financial Services was informed by an insurance company that they had received 3 claims for Patient 3. The insurance company stated Patient 3 was not covered by them. The Account Biller should have verified the correct insurance company before sending the claims but this was not done.Patient 3's PHI breached included name, date of birth, social security number, medical record number, account numbers, and clinical information.The Hospital's Policy and Procedure titled "HIPAA General Rules for the Use and Disclosure of PHI", dated 4/18/12, indicated "...C. Protecting the Privacy 1. Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes, only the minimum necessary information is used or disclosed for any purpose, and only persons who have been authorized by [hospital] may use or disclose PHI."Refer to CA00378498.3. On 01/13/2014 at 4:10 p.m., during an interview, the Privacy Officer (PO) stated that a medical claim for Patient 4 was mailed to a physician's office instead of Patient 4's insurance company. The Patient Financial Services staff should have confirmed the insurance company's address before mailing the claims but this was not done.Patient 4's PHI breached included name, date of birth, address, phone number and insurance information.The Hospital's Policy and Procedure titled "HIPAA General Rules for the Use and Disclosure of PHI", dated 4/18/12, indicated "...C. Protecting the Privacy 1. Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes, only the minimum necessary information is used or disclosed for any purpose, and only persons who have been authorized by [hospital] may use or disclose PHI."4. Refer to CA00380714.On 01/13/2014 at 3:30 p.m., during an interview, the Privacy Officer (PO) stated that on 11/26/2013 a Certified Registered Nurse Anesthetist (CRNA) inappropriately accessed Patient 5's electronic medical record. On 12/10/2013, Physician 1 inappropriately accessed Patient 5's medical record without a business need to know. Patient 5's medical record was included in a hospital protocol called "Break the Glass" (BTG). Break the Glass is a prompt with the following verbiage, "All access to BTG is tracked and monitored for appropriateness on a daily basis. The patient information you are attempting to access is restricted. Break the Glass encounters should be accessed for current continuity of care or a legitimate business need to know only. Inappropriate access may result in a reportable privacy violation. Please enter a reason and your password if you would like to proceed." CRNA had to Break the Glass in order to view the record, which he should not have done. Physician 1 received the prompt of BTG and chose to BTG, which Physician 1 should not have done.Patient 5's PHI breached included name, date of birth, address, gender, medical record number, account number, anesthesia information pertaining to procedure during hospitalization on 11/21/2012, and clinical information related to hospitalization on 11/21/2013.The Hospital's Policy and Procedure titled "HIPAA General Rules for the Use and Disclosure of PHI", dated 4/18/12, indicated "...C. Protecting the Privacy 1. Protecting the privacy of PHI means that PHI is used or disclosed only for authorized purposes, only the minimum necessary information is used or disclosed for any purpose, and only persons who have been authorized by [hospital] may use or disclose PHI."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights