Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COMMUNITY HOSPITAL
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 18, 2014. Also cited in 64 other reports.
Report ID: 0CBJ11.02, California Department of Public Health
Reported Entity: RIVERSIDE COMMUNITY HOSPITAL
Issue:
Based on interview and record review, the facility failed to report, no later than five days, five incidents of unauthorized access to protected health information (PHI), to the department. The facility's corporate office became aware of the unauthorized access of PHI on January 20, 2014, but did not report the disclosure to the department until March 12, 2014, 51 days later and 44 days after the mandated timeframe for the facility to report this disclosure. Findings:On March 12, 2014, the California Department of Public Health received a letter from the facility indicating several patients' protected health information was disclosed without authorization. The letter indicated the disclosure involved five patients who received services at the facility and the information disclosed included Patient A, B, C, D, and E's demographic information. On March 18, 2014, at 9:30 a.m., the Facility Privacy Officer (FPO) was interviewed. The FPO stated the facility's main corporate office became aware of the breach on January 20, 2014, when an unknown person delivered a box containing a large number of documents to a corporate facility in Colorado. The FPO stated she was informed about the incident on March 6, 2014. The FPO stated on December 10, 2013, a business associate inadvertently sent a file containing 1000 patient billing statements to another business associate. The file was inadvertently printed and 250 documents were sent to four patients. The facility became aware when one patient hand delivered the documents to another corporate hospital, on January 20, 2014. The FPO stated the information disclosed included Patient A, B, C, D, and E's demographic information including patient name, address, patient account number, admission and discharge date, original charges, payments and discounts. The FPO stated the facility's corporate office conducted the investigation and February 7, 2014, was identified as the date the breach was confirmed by the corporation. The PO did not know why there was a delay in the facility being informed about the breach. The facility policy and procedure titled "Protected Health Information Breach Notification," with an effective date of October 12, 2009, was reviewed. The policy indicated: "Any Company-affiliated facility in the case of a breach of unsecured PHI, must notify the patient or their personal representative without reasonable delay and in no case later than 60 days of discovering the breach." The policy continues: "A breach is considered discovered as of the first day on which the breach is known by the business associate and/or the facility." According to the policy a breach is the unauthorized acquisition, access, use, or disclosure of unsecured, unencrypted PHI. The policy and procedure titled "Safeguarding Protected Health Information," with an effective date of November 1, 2012, indicated "States may have separate laws that may apply additional legal requirements."The facility failed to notify the department no later than five days after the disclosure had been detected. A corporate hospital had detected the breach on January 20, 2014, but the facility did not notify the department until March 12, 2014, 51 days later and 44 days after the mandated timeframe for the facility to report this disclosure.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280