RIVERSIDE COMMUNITY HOSPITAL

Report ID: BE0D11, California Department of Public Health

Reported Entity: RIVERSIDE COMMUNITY HOSPITAL

Issue:

Based on interview and record review, the facility failed to ensure a compact disc (CD) containing imaging films for Patient A, was given to the correct patient. This resulted in the disclosure of Protected Health Information (PHI) to an unintended recipient.Findings:On September 28, 2011, at 4 p.m., an unannounced visit was made to the facility to investigate a breach of PHI for September 18, 2011.In a concurrent interview with the Health Information Officer, she stated radiology information on Patient A's CD contained Patient A's name, medical record number, date of birth, list of films, and Xray results on the CD. Patients A and B were to be transferred to acute care hospitals. The CD for Patient B was to be transported to an acute care hospital by the wife of Patient B. The CDs were switched for Patient A and Patient B. The staff did not verify the correct contents prior to the discharge of Patient B.The acute care hospital where Patient B was being transferred to, notified the facility on September 18, 2011, of the incorrect CD received for Patient B.On September 28, 2011, at 4:25 p.m., Staff 1 was interviewed. Staff 1 stated radiology received the call and staff verified the exams. Staff placed the information on a disc, and called the staff to take it to the floor that requested the CD.According to the Privacy Officer there was no facility policy and procedure in place that addressed transferring, safeguarding, protection, encryption, etc... of PHI on CDs.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280