Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 21, 2013. Also cited in 123 other reports.
Report ID: CP0L11.01, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and document review, the facility failed to ensure that Patient A's Protected Health Information (PHI) was not disclosed to any entity not authorized to receive the information.This failed practice resulted in unauthorized access to Patient B's demographic information, medical records, and Protected Health Information and increased the potential for unauthorized use of Patient B's personal information.Findings:On October 21, 2013, an entity self-reported breach of Protected Health Information for Patient A was investigated. On October 21, 2013, at 9 a.m., an interview was conducted with the Compliance Officer. The Compliance Officer stated the breach occurred on September 14, 2013. The breach occurred after the patient was discharged from the facility and given a ride home on the transportation van. Patient A left an envelope containing copies of her medical records on the transportation van. When Patient A realized that she had forgotten her medical records on the van, she notified the facility by phone. A facility staff member notified the van driver, and the van driver went back to Patient A's house to drop off her medical records. The envelope given to Patient A, contained Patient B's medical records. Patient A placed a second call to the facility to report she had received Patient B's medical records. The envelope contained approximately 15 pages of Patient B's medical records, which included consents, diagnoses, list of psychiatric medications prescribed, location of admission, date of birth, dates hospitalized, and information about Patient B's treatments.The facility policy and procedure titled "Patient Privacy, Confidentiality, Medical Records, And Access To, Or Release Or Disclosure Of, Patient Information" revised January 2, 2009, indicated under purpose, "To protect patient's rights to privacy and security of their healthcare information and to establish the criteria and the methods by which patient healthcare information may be accessed, used, released, or disclosed...Personnel shall maintain the confidentiality/privacy of information contained in the medical records of patients and, except for the purposes of treatment, payment, or healthcare operations, shall not disclose patient information without the patient's written authorization or..."The facility failed to ensure Patient B's Protected Health Information was not disclosed to any entity not authorized to receive the information.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280