Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 9, 2014. Also cited in 46 other reports.
Report ID: TLWX11.02, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
Based on interview and record review, the facility failed to ensure physician's and their staff who are not hospital employees, with access to the physician's patients' confidential protected health information (PHI) at the acute care hospital, have safeguards in place to prevent access by unauthorized personnel.This failure resulted in breach of PHI for Patient A, when a physician's office clerk (Employee 1) attempted to access her own laboratory results, but opened another person's file (Patient A) in error, allowing Employee 1 to view Patient A's PHI without authorization.Findings:On April 9, 2014 at 1:30 PM, a visit was made to the facility to investigate an entity reported incident of a breach of PHI for Patient A by an off-campus physician's office clerk (Employee 1).During an interview with the Director of Quality (DOQ) on April 9, 2014 at 1:45 PM, she stated, "An employee [Employee 1] of a doctor who has access to his patient's clinical information through our computer system, tried to access her own laboratory results without authorization. She entered her name and birth date, and there was more than one person who shared both her name and birth date. When she opened the first screen, and saw the diagnoses, she knew it was not her file. She told her supervisor, who immediately notified us." When asked if everyone at the physician's office has permission to access the data of the physician's patients, she stated, "No, the doctors are given that access. They are not our employees, and neither was this clerk [Employee 1]."A review of the snapshot taken of the computer screen accessed by Employee 1, was conducted on April 9, 2014 at 2:30 PM. The copy showed the person's (Patient A) name, date of birth, social security number, telephone number, date of visits and the purpose of each visit and the address.During an interview with the Facility Privacy Officer on July 27, 2014 at 3:45 PM, when asked if the physicians who are given access to clinical data via the computer from the acute care hospital to the physician's office, she stated, "Physicians are given access to their patient's clinical data. They have to sign a confidentiality statement and ensure the hospital that they have safeguards in place to protect patients' PHI. It is part of the Medical Staff requirements." During an interview with Employee 1 on July 28, 2014 at 11:55 AM, she stated, she had her own access to limited data from the hospital, ", I looked up my lab work. If we need things like operative reports, then only the physician can access those. I told my supervisor what happened [accessing another person's lab work] and we discussed it."A review of the facility policy and procedure titled, "Compliance Oversight Committee," dated January 17, 2012, indicated related to access to the health information systems and portals,that,"It is each user's responsibility to ensure the integrity, security and appropriate use of [facility name] email systems, technology and network resources, information and data..." The policy further indicated, "A user is required to..."Maintain and use appropriate safeguards to protect the privacy and confidentiality of all data in accordance with the HIPAA (health insurance portability and accountability act) policies..."The facilities failure to ensure that the physician followed protocols to prevent his staff from accessing confidential patient information as indicated by their individual roles, without authorization. This resulted in a breach of Patient A's PHI, and placed her at risk for identity theft by Employee 1.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights