RIVERSIDE COMMUNITY HOSPITAL

Report ID: I6T011, California Department of Public Health

Reported Entity: RIVERSIDE COMMUNITY HOSPITAL

Issue:

Based on interview and record review, the facility failed to ensure staff did not disclose Patient A's Protected Health Information (PHI) to an unauthorized recipient. This resulted in the unauthorized disclosure of Patient A's PHI which created the potential for unauthorized use.Findings:On September 14, 2012, at 8:30 a.m., an unannounced visit was made to the facility to investigate a breach of PHI.On September 14, 2012, at 10:20 a.m., the Facility Privacy Official was interviewed. The Official stated on August 16, 2012, a visitor came to the Intensive Care Unit (ICU) to visit Patient A. The visitor informed the facility Licensed Nurse that she was the sister of Patient A. The Licensed Nurse notified the visitor of the prognosis and status of Patient A. When the visitor was leaving, Patient A's husband and daughter passed the visitor. Patient A's husband and daughter asked the Licensed Nurse why the visitor was there. The Licensed Nurse informed Patient A's husband and daughter, the visitor had informed her she was the sister of Patient A.On September 14, 2012, the facility policy and procedure titled, "Safeguarding Protected Health Information," was reviewed. The policy indicated, "...Policy: The facility must take reasonable steps to safeguard steps to safeguard and protect PHI. The facility must identify and utilize appropriate administrative, physical, and technical safeguards in order to protect PHI from inappropriate and/or unauthorized access, use, and/or disclosures.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280