Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on September 26, 2013. Also cited in 123 other reports.
Report ID: XLVP11.02, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to notify the Department within five days after a disclosure of protected health information (PHI) was detected for one patient (Patient A). Patient A's full name, date of birth, address, home phone number and physician's name were disclosed to Patient B on June 30, 2013. The facility became aware of the breach on July 16, 2013 and notified the Department, 34 business days later, on September 11, 2013. This resulted in a delay in the notification of CDPH and a possible delay in the investigation of the unauthorized disclosure of Patient A's PHI. Findings:On September 11, 2013, the facility notified the Department a prescription intended for Patient A, was inadvertently given to Patient B.During an interview with the Privacy Officer (PO) on September 11, 2013, at 10 a.m., the PO stated on July 16, 2013, the pharmacy became aware Patient A's information was released to the wrong person, when Patient B returned with a prescription bottle and attempted to get the prescription refilled. The PO stated it was not immediately reported to her office, as a new computerized incident reporting system did not automatically notify the privacy department. This information was reported to the Department on September 11, 2013, 34 business days (50 calendar days), after the facility was aware of the incident. The facility's Policy and Procedure titled, " Breach of Patient Privacy: Reporting Requirements, " with an effective date of September 23, 2009, was reviewed on September 11, 2013. The policy indicated "...Whether the complaint involves the unlawful or unauthorized access to, or the use or disclosure of, a patient's medical information...the violation will be reported to the patient and State [Department] within no more than five (5) calendar days from identification of unlawful or unauthorized access to, or disclosure of, patient healthcare/medical information..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280