RIVERSIDE COMMUNITY HOSPITAL

Report ID: GCEG11, California Department of Public Health

Reported Entity: RIVERSIDE COMMUNITY HOSPITAL

Issue:

Based on interview and record review, the facility failed to ensure Patient A's protected health information (PHI) on a compact disc (CD), was not given to another patient. This resulted in the unauthorized disclosure of Patient A's PHI, which created the potential for unauthorized use.Findings:On December 28, 2011, at 1:45 p.m., an unannounced visit was made to the facility to investigate a breach of PHI.On December 28, 2011, at 1:50 p.m., the Facility Privacy Official, was interviewed. The Privacy Official stated on December 12, 2011, a Physician's Assistant (PA) gave a CD for Patient A to Patient B, in the Emergency Department (ED). The CD was delivered from the Radiology Department. The Radiology Department delivered the wrong CD.The CD contained Patient A's name, date of birth, medical record number, and the title and date of exam. Patient B returned the CD to the facility on December 16, 2011.On December 28, 2011, at 2:30 p.m., the Director of Emergency Services, was interviewed. The Director stated the Charge Nurse usually checked the CD with another nurse to verify the CD is for the correct patient. The PA did not verify the CD was for the correct patient.On December 28, 2011, the facility policy and procedure titled, "Safeguarding Protected Health Information," was reviewed. The policy revealed, "...The facility must take reasonable steps to safeguard and protect PHI. The facility must identify and utilize appropriate administrative, physical, and technical safeguards in order to protect PHI from inappropriate and/or unauthorized access, use, and/or disclosures..."

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280