COMMUNITY REGIONAL MEDICAL CENTER

Report ID: SV9711.01, California Department of Public Health

Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER

Issue:

Based on staff interview, clinical record and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when Patient 1's electronic medical record (EMR) was accessed by an employee without a business need to know. This failure caused the breach of Patient 1's PHI and possible unauthorized use.Findings:On 9/19/14 at 9:20 a.m., during an interview, the Privacy Officer (PO) confirmed Employee (E) 1 accessed an EMR during a computer training session. E 1 was being trained by Employee (E) 2. E 2 was logged into the computer under her personal password and walked away for a moment. At that time E 1 started looking up the EMRs of people she knew and accessed Patient 1's medical record. When E 2 returned to the training session, she realized what was happening and logged E 1 off the computer. The PO stated E 2 should not have walked away from the computer, and E 1 should not have been accessing the EMRs of any patients.Patient 1's PHI breached included: name, address, phone number, date of birth, medical record number, account number, and clinical information.The hospital's Policy and Procedure titled, "HIPAA (Health Insurance Portability and Accountability Act) General Rules for the Use and Disclosure of PHI," dated 4/18/12, indicated "... It is the policy of [Hospital's identity] to protect the privacy and security of patient information...Protected Health Information includes any information received, created, or maintained by ... in which the patient is or may reasonably be identified ... may only use or disclose PHI if: a. the patient has given a valid authorization..."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Related Reports:

3 other violations reported on the same date. Note that other citations may be about the same event: 257B11.01, CTCC11.01, WCRV11.01