Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 26, 2014. Also cited in 46 other reports.
Report ID: B6ZP11.01, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI), when the Director of Employee and Labor Relations, Human Resources (HR) Department and the Vice President (VP) of HR verbally informed other HR department employees that Patient A (also a HR employee) was hospitalized with a possible diagnosis of Meningitis without Patient A's consent. This resulted in a breach of PHI for Patient A.Finding:On July 2, 2014 at 4:35 PM, a telephone interview was conducted with the Facility Privacy Officer (FPO) regarding an entity reported incident of a breach of PHI for Patient A. She stated that "Patient A notified the Human Resources department that she would be off work due to a possible diagnosis of meningitis. There was concern for the health of other employees in the HR department since one of them was pregnant.""The Director of Employee and Labor Relations, HR department informed a HR employee who was pregnant that patient A was admitted to the hospital with a possible diagnosis of meningitis, which was not confirmed at that time."On July 7, 2014 at 5:10 PM during a telephone interview with Patient A, she stated "I was on leave of absence from work and due back on March 1, 2013. I was admitted to the hospital on February 27, 2013 with meningitis. While I was in the hospital, I called the HR department and spoke with the VP of HR, informing her that I was in the hospital and why. I received a call back later from the VP of HR and she informed me that she had told the "other girls" in the office to go get tested. When I asked the VP of HR why she told them, the VP of HR stated that she had to tell them, that's when I knew my PHI was breached.Patient A further stated "I guess the VP of HR notified the Director of Employee and Labor Relations, HR Department of my diagnosis and then she informed another HR employee who was pregnant."When Patient A was asked if she thought this was a malicious breach of her PHI, she stated "Absolutely not, we are a close team and I think it was just a slip. They were ultimately trying to do the right thing."A review of the facility policy and procedure titled, "Confidentiality and Data Classification", dated January 2012 indicated:"It is the policy of (facility name) to provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity.""D. Consistent Protection: Information must be protected in a manner commensurate with its classification, regardless of where it resides, what form it takes, what technology was used to handle it or what purposes it serves." The facility failed to protect Patient A's right to privacy resulting in the unauthorized disclosure of of Patient A's PHI to other facility employees without consent.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights