Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
KAISER FOUNDATION HOSPITAL - RIVERSIDE
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 12, 2013. Also cited in 25 other reports.
Report ID: 15JH11, California Department of Public Health
Reported Entity: KAISER FOUNDATION HOSPITAL, RIVERSIDE
Issue:
Based on interview and record review, the facility failed to prevent the unauthorized access of Patient 1's medical information. This had the potential to result in misuse of private information.Findings:On March 12, 2013, at 8:55 a.m., an investigation was conducted for an entity reported incident. On March 12, 2013, at 10:10 a.m., the Compliance Officer (CO) and Compliance Project Manager (CPM) were interviewed. The CO stated on February 7, 2013, Patient 1's record was accessed by an Emergency Department Physician (MD 1). The CO stated MD 1 accessed Patient 1's record because MD 1 wanted to find out if he had treated Patient 1 in the past. The CO stated MD 1 stated he accessed Patient 1's record because of, "...Life and Safety..." concerns. The CO stated MD 1 accessed the facility's "ED (Emergency Department) Navigator," which was the organization's ED electronic medical record (EMR) system. The CO stated MD 1 wanted to find out if he had treated Patient 1 in the past. The CO added, as soon as MD 1 verified he had not treated Patient 1 at all, he exited the EMR. The CO stated MD 1 had no business or medical reason to access Patient 1's record.On March 12, 2013, at 9:15 a.m., a facility document titled, "Users Accessing a Patients EMR using PAT_ID" was reviewed with the CO and CPM. The CPM stated the document indicated MD 1 accessed Patient 1's record on February 7, 2013, at 12:07 p.m. The document indicated MD 1 accessed Patient 1's "demographics" section. The CPM stated there was no medical information accessed in Patient 1's record. The CPM stated the "demographics" contained Patient 1's name, address, date of birth, and medical record number.The facility policy titled, "Mitigation of Impermissible Uses and Disclosure of Protected Health Information" revised on January 2012, was reviewed. The policy indicated, "Kaiser Permanente (KP) must take action to reduce or eliminate, to the extent feasible, any known harm caused by an impermissible use or disclosure of Protected Health Information (PHI) by KP or its business associates."The policy further indicated, "Protected Health Information (PHI) - Individually identifiable health information including demographic information...created or obtained by a covered entity that is related to an Individual's past, present, or future physical or mental health or condition, including the provision of his/her health care..." The policy further indicated, "...Individually identifiable means that the information either identifies the Individual or there is a reasonable basis to believe that the information can be used to identify the Individual, such as name, date of birth, address...other personal identifiers..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280