RIVERSIDE COMMUNITY HOSPITAL

Report ID: 0J3D11.01, California Department of Public Health

Reported Entity: RIVERSIDE COMMUNITY HOSPITAL

Issue:

Based on interview and documents review, the facility failed, for one patient (Patient A), to ensure that Protected Health Information (PHI) was not disclosed to an entity not authorized to receive the information. This failed practice had the potential to result in medical identity theft and/or fraud. Findings:On September 30, 2011, at 10:15 a.m., an investigation regarding unauthorized disclosure of Patient A's PHI was conducted. On May 16, 2013, at 2:43 p.m., a follow up phone call was made to the facility. A phone interview with the Facility Privacy Officer (FPO) was conducted. The FPO stated on September 21, 2011, an employee of the contracted medical information company wrongfully sent Patient A's electronic records to the Department of Social Services (DOSS). The patient's PHI included patient's name, date of birth, medical record number, account number, physician's name, date of services, health history and physical assessment. The DOSS sent Patient A's electronic records back to the contracted medical information company and the records were deleted in the system on September 26, 2011. On May 16, 2013, a review of facility documents included:a. A letter addressed to the facility's Manager, dated September 26, 2011, indicated the contracted medical information company notified the facility of the privacy breach of Patient A. b. A letter addressed to Patient A, dated September 28, 2011, indicated the facility notified Patient A of the privacy breach.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

1 other violation reported on the same date. Note that other citations may be about the same event: 8MPV11.01