Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 15, 2014. Also cited in 123 other reports.
Report ID: YDT911.03, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to notify Patient 1 of the unauthorized disclosure of their protected health information (PHI), in writing, within five business days after the disclosure had been detected by the facility. This resulted in a delay in the notification of Patient 1 of the unauthorized disclosure of their PHI. Findings:On January 15, 2014, at 2 p.m., the Administrative Services Officer (ASO) was interviewed. The ASO stated on June 18, 2013, an employee (Nurse 1) gave discharge instructions to the parents of an adult patient (Patient 1) without her permission. Nurse 1 filed an incident report the same day. The ASO stated the Privacy Department was not aware of the incident until the Quality Department inquired about the status of the investigation on July 10, 2013. The ASO stated Patient 1 should have been notified of the breach no later than five business days (June 25, 2013) after the facility became aware of the incident. The ASO stated Patient 1 was notified of the breach on July 19, 2013 (24 days after the required notification of five business days).The discharge instructions for Patient 1 was reviewed. The discharge instructions contained patient's name, date of birth, medical record number, diagnosis, medications prescribed, a brief summary of treatment and tests rendered.The facility policy and procedure titled, "Breach of Patient Privacy: Reporting Requirements," dated September 23, 2009, was reviewed. The policy indicated, "... The violation will be reported to the patient and state [CDPH] within no more than five (5) calendar days from identification of the unlawful or unauthorized access to, or use or disclosure of the patient's medical information..."
Outcome:
Deficiency cited by the California Department of Public Health: Medical Breach