Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 27, 2013. Also cited in 62 other reports.
Report ID: EZT611, California Department of Public Health
Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER
Issue:
Based on staff interview and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when Physician Assistant 1 (PA 1) took PHI to his private residence. The total number of Patients with PHI taken home by PA 1 was 497 (four hundred ninety seven) (Patients 1, 2, 3 .... 495, 496, 497). This failure resulted in the potential of unauthorized use for all 497 patients. Findings: On 8/27/13 at 4 p.m., during an interview, the Privacy Officer (PO) stated the hospital became aware of an alleged breach of patient information on 8/20/13 when an anonymous informer brought to the hospital a box full of patient information that was stored at the residence of PA 1. The alleged breach was reported to the Department on 8/26/14. The PO confirmed the patient information belonged to patients hospitalized at the hospital and totaled 497 patients. The PO stated the box-full of patient information included patient name, medical record number, date of birth, hospitalization dates and clinical history for each of the 497 patients. The PO stated that written authorization of each of the 497 patients was not obtained prior to the PHI leaving hospital premises. The PO stated that PA 1 did not follow expected policies and procedures for maintaining the confidentiality of PHI. The PO stated that the taking home of PHI by PA 1 was not approved by the Privacy Office and not consistent with hospital policy and procedure. On 10/16/13 at 1:30 p.m., during an interview, PA 1 stated that he took patient information home on a card that included patient name, medical record number, date of birth and clinical information pertinent to the care of the patient while hospitalized. PA 1 stated he kept the patient information secured while stored in his home. PA 1 stated that he took the patient information home for billing purposes and to review clinical information for the patients assigned to him. PA 1 was unaware of the anonymous informer retrieving the box full of patient information from his home and taking the box full of patient information to the privacy office for the hospital. PA 1 was unaware that the total number of patients he had information on totaled 497. PA 1 was unaware that taking patient information out of the hospital constituted a possible breach of PHI. On 10/16/13 at 1:45 p.m., during an interview, Medical Doctor 1 (MD 1) explained he was the supervising doctor for PA 1. MD 1 was aware that PA 1 took home patient information for billing purposes. MD 1 was unaware taking patient information out of the hospital constituted possible breach of PHI. MD 1 was unaware the number of patient information at the home of PA 1 totaled 497. The list of patients provided by the Privacy Office indicated the following PHI was included for each of the 497 patients: name, date of birth, medical record number, clinical history and hospitalization dates. Review of the hospital policy and procedure entitled "HIPAA (Health Insurance Portability and Accountability Act) General Rules for the Use and Disclosure of PHI" (revised 4/8/12) indicated under "...III POLICY A. It is the policy of (the hospital) to protect the privacy and security of patient information and to comply with applicable laws and regulations. IV Guidelines A. Protected Health Information and Records 1. Protected Health Information includes any information received, created, or maintained by (the hospital) in which the patient is or may reasonably be identified, regardless of whether the information is in oral, paper, or electronic form... B. (Hospital) Privacy Policies and Procedures ... 2. It is the responsibility of all (hospital) workforce members to comply with the policies and procedures ... D. Using and Disclosing PHI 1. (the Hospital) may only use or disclose PHI if: a. the patient has given a valid authorization...e. (hospital) workforce members should never disclose information about a patient unless they have explicit authorization to do so and have been trained in the proper procedures for releasing patient information. Such workforce members should exercise care in how they communicate patient information and how and where they keep patient information to reduce the likelihood that it is exposed to unauthorized persons ... N. Data security 1. Patients have the right to expect that their information is collected, stored, and maintained in a reliable manner and that sufficient precautions are taken by (the hospital) to prevent its misuse. It is the responsibility of all (hospital) workforce members to read the applicable security policies and comply with their provisions..."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights