Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
KAISER FOUNDATION HOSPITAL - RIVERSIDE
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 24, 2014. Also cited in 25 other reports.
Report ID: YOOT11, California Department of Public Health
Reported Entity: KAISER FOUNDATION HOSPITAL, RIVERSIDE
Issue:
Based on interview and record review, the facility failed to ensure all patient protected health information (PHI) was kept protected, which resulted in the unauthorized access of the patient's confidential information (Patient 3). Patient 3's confidential information was mailed to Patient 4, on October 14, 2014. This resulted in the unauthorized disclosure of Patient 3's protected health information (PHI).Findings:On October 24, 2014, at 3:02 p.m., an interview was conducted with the Compliance Officer (CO). She stated: a. On October 14, 2014, an envelope addressed to Patient 4 was mailed to Patient 4 at her last known address. b. Patient 4 had recently passes away and the envelope addressed to Patient 4 was opened by a family member.c. On October 20, 2014, the envelope addressed to Patient 4 was returned to the facility, by Patient 4's family member, because it contained the Physicians Orders For Life Sustaining Treatment (POLST) belonging to Patient 3.d. The facility was unable to determine who had mailed the POLST belonging to Patient 3, to Patient 4.Patient 4's family member received and had an opportunity to view Patient 3's PHI, which included name, date of birth, medical record number, gender, physician's name, admit date, and medical treatment requested for life sustaining measures.Patient 3 was informed of the disclosure of his protected health information (PHI) via a letter dated and mailed on October 24, 2014, to his last known address.The California Department of Public Health (CDPH) was notified via a telephone call received on October 23, 2014, of the unauthorized access of Patient 3's PHI.The facility policy and procedure titled, "Notifications Regarding Breaches of Protected Health Information" revised October 2013, revealed "... A Licensee must report to DPH (Department Public Health) any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information, as defined, no later than 5 business days after the facility detects the above occurrence. ... A Licensee must also notify the affected patient (or, as applicable, the patient's representative) at the last known address no later than 5 business days after the Licensee detects the unlawful or unauthorized access to, or use or disclosure of, the patient's medical information. ..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280