Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 26, 2014. Also cited in 46 other reports.
Report ID: 7L4911.01, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
Based on interview, and record review, the facility failed to report a breach of protected health information (PHI) to the California Department of Public Health, Licensing and Certification Unit (CDPH, L&C) within five (5) business days as required by regulation. This failure to report could result in delay in the reporting of future breaches.Findings:On July 2, 2014 at 4:05 PM, a telephone interview was conducted with the Director of Quality/Facility Privacy Officer, to investigate an entity reported incident of a breach of personal health information (PHI) for Patient A. The breach was detected on February 1, 2013, but was not reported by February 8, 2013 ( within five business days) as required. CDPH L&C, and Patient A ' s estate was not notified until February 19, 2013 (twelve business days) after the facility was made aware that a breach had occurred.During an interview with the Director of Quality/facility Privacy Officer (DQ/FPO), who was not the FPO at the time of the occurrence, she stated, that the Director of Inpatient Services/Behavioral Health Services (DIS/BHS) was notified during a charge nurse staff meeting on February 1, 2013 by a registered nurse (RN 1), that RN 1 had accessed Patient A ' s clinical record after Patient A was discharged from the hospital. A review of an email dated February 1, 2013 from the DIS/BHS to the acting FPO at the time confirmed that a breach of PHI for Patient 1 had been detected.On July 2, 2014 at 4:05 PM, a telephone intervew was conducted with the DQ/FPO. When asked the reason for not reporting within the regulatory guidelines of five business days, she stated " The DIS/BHS began her investigation on February 1, 2013 after being told by RN 1 that she had accessed Patient A ' s clinical record."A review of an email dated February 13, 2013 sent by the Director of Employee & Labor Relations to the FPO at that time, indicated that RN 1 had received a 3-day suspension for not having appropriate reasons for accessing Patient A ' s clinical record. A review of the facility policy and procedure titled, "HIPAA Investigations (Health insurance portability and accountability act)," dated June 2012, indicated the "Purpose was to identify a timely and succinct process to investigate and take action with potential or actual HIPAA privacy violations occurring at [name of hospital] and to meet legal timelines of reporting."The delay in reporting a breach of Patient A's PHI, placed Patient A at risk of identity theft from the clerk who shared her name and date of birth.
Outcome:
Deficiency cited by the California Department of Public Health: HSC Section 1279