Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 20, 2012. Also cited in 46 other reports.
Report ID: QGOJ11, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
1. Based on interview and record review, the facility failed to maintain the confidentiality of Patient A's medical record and account number when the nurse entered the wrong account data onto another patient's discharge documents. This resulted in a breach of protected health information (PHI) in accordance with the facility's policies and procedure titled, "De-Identified Health Information and Limited Data Set Use &Disclosure," dated 1/17/12, which specified that for protected health information to be considered "de-identified," the following identifiers must be removed [including, but not limited to]: "medical record number" and "account number".FindingsOn 8/20/12 at 2:15 PM, the facility privacy officer (FPO) was contacted and the entity reported event on 8/6/12, was discussed.During interview with the FPO she stated, "[Used nurse's name] was doing core audits on closed records. She was trying to locate the discharge instructions for Patient B, date of birth (DOB) 6/23/82, who had been discharge on 7/31/12. She discovered when she located the clinical record, the medical record number and account numbers belonged to a patient with the same name but a DOB of 6/13/60, who was last hospitalized in 2005. The nurse determined that the patient (Patient B) had received the correct discharge instruction information with her name on it (being the same as Patient A), but with Patient B's account numbers.A review of the letter sent to Patient A,was done with the FPO and it was determined a breach had occurred.A review on 8/20/12 of the facility's policies and procedure titled, "De-Identified Health Information and Limited Data Set Use &Disclosure," dated 1/17/12, indicated that for protected health information to be considered "de-identified," the following identifiers must be removed [including, but not limited to]: "medical record number" and "account number".
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights