Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on September 26, 2013. Also cited in 123 other reports.
Report ID: XLVP11.03, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure Patient A was notified within five days after an unauthorized disclosure of her protected health information (PHI) was detected. Patient A's full name, date of birth, address, home phone number and physician's name was disclosed to Patient B on June 30, 2013. The facility became aware of the breach on July 16, 2013 and notified Patient A, 34 business days later, on September 11, 2013. Findings:On September 11, 2013, the facility notified the Department a prescription intended for Patient A, was inadvertently given to Patient B.During an interview with the Privacy Officer (PO) on September 11, 2013, at 10 a.m., the PO stated on July 16, 2013, the pharmacy became aware Patient A's information was released to the wrong person, when Patient B returned with a prescription bottle and attempted to get the prescription refilled. The PO stated it was not immediately reported to her office, as a new computerized incident reporting system did not automatically notify the privacy department. This information was reported to the Department on September 11, 2013, 34 business days (50 calendar days), after the facility was aware of the incident. A review of a letter dated September 11, 2013, (addressed to Patient A) indicated on June 30, 2013, Patient A's prescription was inadvertency provided to another patient. "The prescription contained a Patient Information Insert which contained the following demographic information: your full name, date of birth, home telephone number, home postal address, name of the medication, and your doctor ' s name." The facility's Policy and Procedure titled, " Breach of Patient Privacy: Reporting Requirements, " with an effective date of September 23, 2009, was reviewed on September 11, 2013. The policy indicated "...Whether the complaint involves the unlawful or unauthorized access to, or the use or disclosure of, a patient's medical information...the violation will be reported to the patient ... within no more than five (5) calendar days from identification of unlawful or unauthorized access to, or disclosure of, patient healthcare/medical information..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280