RIVERSIDE COMMUNITY HOSPITAL

Report ID: KHWI11, California Department of Public Health

Reported Entity: RIVERSIDE COMMUNITY HOSPITAL

Issue:

Based on interview and documents review, the facility failed, for one patient (Patient A), to ensure that Protected Health Information (PHI) was not disclosed to an entity not authorized to receive the information. This failed practice had a potential to result in medical identity theft and/or fraud. Findings:On April 21, 2011, an investigation regarding unauthorized disclosure of Patient A's PHI was conducted. On May 16, 2013, at 2:27 p.m., a follow up phone call was made to the facility. A phone interview with the Facility Privacy Officer (FPO) was conducted. The FPO stated Patient A and Patient B both requested their medical records. An employee of the contracted medical information company sent both Patient A and Patient Bs' records to Patient B. Patient B notified the facility that she received Patient A's records on January 27, 2011. Patient B returned Patient A's records to the facility on the same day. The FPO stated she kept the copies of Patient A's records with her investigation documents. The FPO stated a letter was sent to Patient A, notified her of the privacy breach. On May 16, 2013, a review of facility documents included:a. Patient A's medical records. The PHI included patient's name, date of birth, sex, age, social security number, ethnicity, address, phone number, next of kin information, insurance information, diagnoses, account number, medications, consultation reports, all health and medical related information of Patient A. b. A letter addressed to Patient A, dated February 2, 2011, indicated the facility notified Patient A of the privacy breach.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280