Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 5, 2013. Also cited in 123 other reports.
Report ID: LUNY11, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure all patient protected health information (PHI) was kept protected, which resulted in the unauthorized access of the patient's confidential information (Patients 1 through 22). Patient 1 through 22's confidential information was included in a patients discharge packet on April 27, 2013. This resulted in the unauthorized disclosure of Patient 1 through 22's protected health information (PHI).Findings:On June 5, 2013, at 1:30 p.m., an interview was conducted with the Compliance and Privacy Officer (CPO) and Assistant Hospital Administrator (AHA). They stated: a. On May 2, 2013, Facility A received a telephone call from Facility B's Compliance Officer who stated a patient seen at Facility B's Emergency Department was in possession of a list of patients, their dates of birth, medical record numbers, and diets. The list had been included with the patient's discharge instructions when he was discharged from Facility A on April 27, 2013.b. The Compliance Officer from Facility B stated he would destroy the documents.The discharged patient from Facility A received and had an opportunity to view Patient 1 through 22's PHI, which included names, dates of birth, medical record numbers, and diets.Patients 1 through 22 were informed of the disclosure of their protected health information (PHI) via letters dated and mailed on May 7, 2013, to their last known addresses.The California Department of Public Health (CDPH) was notified via a telephone call on May 7, 2013, of the unauthorized access of Patient 1 through 22's PHI.The facility policy and procedure titled "Breach of Patient Privacy: Reporting Requirements" dated September 23, 2009, revealed "... Whether the complaint involves the unlawful or unauthorized access to, or the use or disclosure of, a patient's medical information ... the violation will be reported to the patient and State within no more than five (5) calendar days from identification of the unlawful or unauthorized access to, or use or disclosure of the patient's medical information. ..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280