Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 26, 2014. Also cited in 46 other reports.
Report ID: 7L4911.02, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
Based on interview, and record review, the facility failed to maintain the confidentiality of Patient A ' s protected health information (PHI). This resulted in the unauthorized access of Patient A ' s clinical record by a registered nurse (RN 1).Findings:On July 2, 2014 at 4:05 PM, an investigation was conducted with the Facility Privacy Officer (FPO) to investigate an entity reported incident (ERI) of the unauthorized access of Patient A ' s clinical record by RN 1.During a review of the entity reported incident (ERI) submitted to California Department of Health Licensing and Certification (CDPH, L&C) division, dated February 20, 2013, the report indicated that RN 1 had accessed Patient A ' s clinical record without a business need. The ERI further indicated that RN 1 when questioned by the facility privacy officer (FPO) at the time the breach was discovered regarding the unauthorized access, RN 1 was unable to give an explanation as to why she accessed Patient A ' s clinical record.The records viewed by RN 1 on January 31, 2013 included the nurses ' notes and medications records and patient assessment forms.During an interview with the FPO on July 2, 2014 at 4:05 PM, she stated on February 1, 2014, a staff member (RN 1) told the Director of Inpatient Services of the Behavioral Health Services (BHS) Unit that she had accessed Patient 1 ' s clinical record for the purpose of obtaining information for someone identifying themselves as Patient A ' s wife.A review of Patient A ' s face sheet for a hospital stay from January 18, 2013 through January 25, 2013 indicated that Patient A did not have a wife.A review of an email from the Director of Employee and Labor Relations to the FPO dated February 13, 2013, with results of an investigative report, indicated RN 1 did not have an appropriate reason to have access Patient A ' s clinical record. On July 8, 2014 at 3:40 PM, during a telephone interview with the Director of In-Patient Services, she stated "Towards the end of a charge nurse meeting on February 1, 2013 when I was educating re-Health Insurance Portability and Accountability Act (HIPAA), when RN 1 informed me someone identifying themselves as Patient A's wife had called and gave the name of a nurse she wanted to speak with. RN 1 did not want to breach patient A's information, so no information was given to the caller. RN 1 then proceeded to inform me that after she hung up the phone with the caller, she accessed Patient A's clinical record and navigated through the notes to see if she could find a reference to the nurse the caller had given to her. RN 1 further stated that while she was navigating within Patient 1's clinical record, she wanted to make sure that her documentation was ok." Patient A's clinical record was accessed by RN 1 twice: initially on January 25, 2013, the day patient A was discharged from the Behavioral Health Services Unit where RN 1 was the charge nurse and the second time on January 31, 2013. A review of the facility policy and procedure titled, "Safeguarding PHI and Sensitive Information", dated January 2012 indicated: " 1. It is the policy of (facility name) to provide appropriate access to its information based on a need-to-know basis while preserving its confidentiality and integrity."A review of the facility policy and procedure titled, " Network Usage Policy " , dated January, 2012 indicated: " G. Prohibited uses of the Network " " 6. Accessing or disclosing confidential information, sensitive information, or strictly confidential information that is not within the scope of the users health related duties and responsibilities "The failure of the facility to maintain the confidentiality of Patient A's PHI resulted in the unauthorized access of Patient A's clinical record by RN 1.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights