RIVERSIDE COMMUNITY HOSPITAL

Report ID: GPB811, California Department of Public Health

Reported Entity: RIVERSIDE COMMUNITY HOSPITAL

Issue:

Based on interview and document review, the facility failed to ensure that Patient A's Protected Health Information (PHI) was not disclosed to any entity not authorized to receive the information. This failed practice resulted in unauthorized access to Patient A's demographic information and medical records.Findings:An unannounced visit was made on September 4, 2013, to investigate a facility self reported breach incident. On September 4, 2013, at 1 p.m., an interview was conducted with the compliance officer, and quality director. The compliance officer stated the hospital became aware of the breach on August 6, 2013, when Patient B brought the medical records back and reported the incident to the hospital. Patient A and B were both discharged on the same day, and the nurse gave Patient B the wrong discharge documents. Patient B received Patient A's medical records. The records contained date of birth, date of service, medications, treatment information, physician orders, Patient B's full name and medical records numbers, diagnoses, and information regarding Patient B's medical conditions. The facility's policy and procedure titled, Safeguarding Protected Health Information, was reviewed. The policy indicated, "The facility will take reasonable steps to safeguard and protect PHI..."The facility failed to ensure Patient A's Protected Health Information was not disclosed to any entity not authorized to receive the information.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280