Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COMMUNITY HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on December 10, 2014. Also cited in 64 other reports.
Report ID: 4Y8E11, California Department of Public Health
Reported Entity: RIVERSIDE COMMUNITY HOSPITAL
Issue:
Based on staff interview and record review the facility failed to prevent the unauthorized access and/or disclosure of Patient 1's private health information (PHI) during the faxing of medical information. Patient 1's PHI was inadvertently faxed by the facility's blood bank to a former facility worker's home fax. This had the potential to result in the misuse of Patient 1's private health information.Findings:On December 10, 2014, at 10:15 a.m., the Facility's Privacy Officer (FPO) was interviewed. The FPO stated, "The former Blood Bank Supervisor left her own personal fax number on the facility fax machine. Her number was not removed when she resigned her position. The staff inadvertently used her fax number while attempting to fax patient information to the Blood Bank. The Blood Bank called and stated they never received the requested faxed information. The facility did attempt to retrieve the information by phone request. The facility as of this time did not get the information back." The FPO stated, "The missing forms did not delay treatment (for Patient 1) and she called back to verify that she received the notification letter."A review of the facility letter sent to Patient 1 on December 4, 2014, indicated, "...We are writing to inform you of recent unauthorized disclosure of a patient's (Patient 1's) protected health information. The disclosure involved 1 patient (s) who received services at our facility: The information included the following direct identifiers: Demographic information-name, date of birth, record number, doctor's name. Clinical information-lab results and diagnosis." A review of the facility form titled, "Safeguarding Protected Health Information," dated with revision of September 23, 2013, indicated, "When faxing PHI, workforce members should take appropriate safeguards: ...Double check the fax number entered before sending...Test pre-programmed fax numbers prior to use.Have a process to verify the programmed numbers on a regular basis.Remind regular fax recipients to provide updated fax numbers when numbers change."The facility failed to follow the safeguarding of faxed PHI according to facility policy. The former worker's fax number was not removed from the programmed list of numbers and the number was not verified before inadvertently sending Patient 1's PHI. This had the potential to result in the misuse of Patient 1's private health information.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280