Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 20, 2015. Also cited in 123 other reports.
Report ID: CZKD11, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent unauthorized disclosure of protected health information (PHI) for one patient (Patient A), when Patient A's "Health Records Report," was given to Patient B. This failure resulted in an unauthorized person (Patient B) having access to Patient A's PHI and the potential misuse of the information.Findings:On January 20, 2015, a copy of the letter sent to Patient A was reviewed. The letter, dated January 9, 2015, indicated, "...Privacy office was made aware of this disclosure on January 6, 2015, and a thorough investigation has been completed ...your discharge Health Records Report ...included your name, date of birth, medical record number, admission date, physician name, and patient account number ...also included information regarding you medical history ..."A copy of the "Health Records Report," was reviewed. The document included Patient A's name, date of birth, admission date, medical record number, account number, room number, and medical information.On January 20, 2015, at 10:30 a.m., the Administrative Services Officer (ASO) was interviewed. The ASO stated on January 6, 2015, Patient B brought paperwork belonging to Patient A, back to the facility. Patient A stated she had received the paperwork with her discharge instructions on October 30, 2014, but she had just read it and realized the document was meant for someone else. The ASO stated there was a "two staff verification process," for discharges and information given to the patients at the time of discharge would be verified and initialed by two nurses. The ASO stated there were no initials on the documents returned by Patient B. A review of the facility policy titled,"Patient Care Services," dated May 2012, indicated, "All healthcare team members will use two unique, patient-specific identifiers to assist in correct identification of the patient...When identifying a patient, two of the following patient identifiers are mandatory: Patient name andPatient date of birthMedical Record Number...Patient identification shall be verified prior to care, treatment, or service in the treatment cycle such as but not limited to: ...registration, transportation, and discharge of patients."The facility failed to follow procedure to match discharge paperwork with the identified patient (Patient B) being discharged. This had the potential to result in the misuse of Patient A's private health information when PHI was given to Patient B.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280