Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 1, 2013. Also cited in 62 other reports.
Report ID: Y8IP11, California Department of Public Health
Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER
Issue:
Based on staff interview, clinical and administrative document review, the hospital failed to ensure confidential treatment of Patient 1, 3 and 5's protected health information (PHI) when:1. Patient 1's PHI was mailed in a statement to another patient (CA003739080);2. Patient 3's PHI was given to another patient during discharge (CA00375170);3. Patient 5's ID armband containing PHI was given to another patient (CA00373924).These failures resulted in unauthorized access to Patient 1, 3, and 5's PHI and the potential for abuse of that information.Findings:CA00373908:1. On 11/1/13 at 2 p.m., during a telephone interview, the Privacy Intake Specialist (PIS) stated on 10/9/13, Patient 2 called the hospital and stated that he had received a form belonging to Patient 1 attached to an account statement.Patient 1's PHI breached included his name, date of birth, date of service, medical record number, account number and diagnosis.The hospital's policy and procedure titled "HIPAA General Rules for the use and Disclosure of PHI" dated 4/18/12, indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which includes employees, trainees, students, volunteers, and other designated persons."CA003751702. On 11/1/13 at 2;30 p.m., during a telephone interview, the PIS stated that 10/21/13, a hospital employee (physician) gave a discharge summary for Patient 3 to Patient 4. The PIS stated that the employee should have double checked to make sure the correct document was given to the correct patient but did not.Patient 3's PHI breached included her name, age, lab work to be done, diagnosis, physician, medications, and future appointments.The hospital's policy and procedure titled "HIPAA General Rules for the use and Disclosure of PHI" dated 4/18/12, indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which includes employees, trainees, students, volunteers, and other designated persons."CA003739243. On 11/1/13 at 2:15 p.m., during a telephone interview, the PIS stated on 10/13/13, Patient 6 was given an ID armband with Patient 5's information by a hospital employee. (Emergency Department Clerk) The PIS stated that the employee should have double checked the information before printing the armband but did not.Patient 5's PHI breached included her name, date of birth, medical record number, and account number.The hospital's policy and procedure titled "HIPAA General Rules for the use and Disclosure of PHI" dated 4/18/12, indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which includes employees, trainees, students, volunteers, and other designated persons."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights