RIDGECREST REGIONAL HOSPITAL

Report ID: EJYH11, California Department of Public Health

Reported Entity: RIDGECREST REGIONAL HOSPITAL

Issue:

Based on interview and record review, the hospital failed to protect patient health information from unauthorized access (1). This had caused a violation of patient rights. Findings: During an interview with the Health Information Manager/Privacy Officer (HIM/PO) on 3/3/11 at 12 PM, she stated the hospital received a complaint from Patient 1 regarding an unauthorized access of her medical record. The HIM/PO stated the hospital investigation determined the breach occurred. She stated the electronic trace for computer access revealed Staff A accessed Patient 1's medical record and Staff A was not assigned to care for Patient 1. The HIM/PO stated Staff A viewed computer screens that contained protected health information which included Patient 1's name, address, home phone number, social security number, admission complaint, admission diagnosis, physician, past surgeries, medical history, financial class, weight, height, and date of birth. The electronic medical record access log was reviewed on 3/3/11. The "Paragon HIPAA Trace by Visit", dated 2/21/11, indicated Staff A accessed the clinical record of Patient 1 from the computer device in the Pediatric Department. Staff A viewed the "vital sign", "flow sheet", and "patient profile" windows of the clinical record on 1/9/11 starting at 9 PM. The employee file for Staff A was reviewed on 3/3/11. The "Protected Health Information" confidentiality agreement was signed by Staff A on 12/1/10. The hospital policy and procedure titled "Confidentiality of Protected Health Information" dated 8/21/10, indicated "All information that is deemed 'PHI' by [facility] and/or specific legal statues shall be kept confidential..."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights