Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 8, 2013. Also cited in 62 other reports.
Report ID: I03F11.01, California Department of Public Health
Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER
Issue:
Based on staff interview, clinical record and administrative document review, the facility failed to keep Protected Health Information (PHI) confidential when:1. Employee 1 and 2 faxed PHI for Patient 1 and Patient 2 to the wrong payor (insurance billing company) in error. (see CA00321813)2. Patient 3 was given Patient 4's County Health Department Certification documents in error at the Ambulatory Care Clinic registration. (see CA00336679)These failures resulted in unauthorized access to confidential health information. Findings:(Related to CA00321813)1. On 2/8/13 at 9:10 a.m., during an interview, the Privacy Officer (PO) Staff 1 stated, on 8/7/12 at 8 a.m., she was notified of two misdirected efaxs (electronic faxes). PO stated the first one occurred on 7/26/12 when Staff 2 misdirected by efax Patient 1's utilization review information to the wrong payor. The PO stated the payor contacted the facility to notify them that the information received was not one of their members. The PO stated the second one occurred on 7/27/12 when staff 3 sent Patient 2's information of utilization review to the wrong payor by mistake. On 2/8/13 at 9:15 a.m., during an interview, the PO stated, she had contacted the payors for both Patient 1 and Patient 2 and the payors stated they had destroyed the information. The PO stated both Staff were inserviced on verifying information and location prior to efaxing.On 2/8/13 at 9:16 a.m., the PO stated, on 8/13/12 both Patient 1 and Patient 2 were sent out a letter to inform them of the breach.The facility policy and procedure number 12108, titled "Facsimile Transmission of Health Information," dated 7/26/10, contained the following documentation: "Staff members faxing patient information shall take reasonable steps to ensure that the fax transmission is sent to the appropriate destination." On 2/11/13 at 4:40 p.m. the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form."(Related to Ca00336679)2. On 2/8/13 at 9 a.m., Staff 1 (Privacy Officer) stated on 12/18/12 the facility became aware of a possible privacy breach. The facility's internal investigation revealed Staff 2 (Patient Representative I) mistakenly gave Patient 3's MISP Certification documents (County Health Department documents) that belonged to Patient 4. Staff 1 stated it was staff 2's responsibility to ensure PHI was given to the correct Patients.On 2/8/13 at 9:05 a.m., Staff 1 stated the MISP Certification documents contained Patient 4's name, gender, date of birth, confidential clinical information. On 2/8/13 at 9:10 a.m., Staff 1 stated that on 12/11/12 at 11:30 a.m., Patient 1 while in the mammogram office noticed that the paperwork she had did not have her name on it. The supervisor from the mammogram office got the paperwork and took it back to the MSIP office and returned with the correct documentation with the correct patient information on it.On 2/8/13 at 9:15 a.m., Staff 1 stated the Patient 4 was sent a certified letter on 12/18/12 informing her of the breach.On 2/11/13 at 4:40 p.m. the facility policy and procedure number 12136, titled "HIPPA General Rules for the Use and Disclosure of PHI," dated 11/16/09, contained the following documentation: "It is the policy of Community Medical Centers to protect the privacy and security of patient information and to comply with applicable laws and regulations. ...PHI includes any information received, created, or maintained by the facility in which the patient is or may reasonable be identified, regardless of whether the information is in oral, paper, or electronic form."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights