Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on December 15, 2014. Also cited in 46 other reports.
Report ID: YGEX11, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patient A, when a case manager (nurse who coordinates long-term care for patients) (CM 1) mailed an appeal packet (correspondence sent to an insurance company to reconsider their decision to deny payment for a patients care) containing Patient A's PHI documentation to an unintended insurance company instead of the intended insurance company. This failure resulted in an unauthorized release of PHI for Patient A.Finding:On December 18, 2014 at 9:51 a.m. a phone interview was conducted with CM 1 regarding an entity reported incident of a breach of PHI for Patient A, detected on December 5, 2014. CM 1 stated they work off of an appeal template (prepopulated company name and address); they have five templates to choose from. She stated she chose the template, but had to have manually changed the address. The appeal packet was delivered to the case management office and sent out. The appeal packet had the correct insurance company name but the incorrect address.In a phone interview with the Senior Director of Quality and Infection Control (SDQIC) on December 18, 2014 at 9:57 a.m., the SDQIC stated the CM 1 chose the template but did not verify it. The facility has now put into place an appeal log maintained by Patient Financial Service (PFS) which lists the appeals address to be checked against as second verification before sending information out.During record review it was determined Patient A, was notified via mail of the breach on December 9, 2014 of their individual PHI.During a review of the documentation mailed to the insurance company in error, the documentation contained Patient A's name, address, date of birth, age, Social Security number, employer, diagnosis, patient account number, insurance policy number, discharge instructions, medications, emergency and admission orders, medication reconciliation documentation, laboratory report, X-ray report, and ECG (electrocardiogram: a diagnostic tool used to assess the electrical and muscular functions of the heart).A review of the facility policy and procedure titled, "Transfer of Protected Health Information," dated August, 2012, indicated, "Employees of the facility will protect the confidentiality of Protected Health Information (PHI) when releasing PHI."The failure to verify the address for the intended insurance company before mailing medical records, resulted in the unauthorized release and breach of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights