Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CORONA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 25, 2013. Also cited in 19 other reports.
Report ID: GZIE11.01, California Department of Public Health
Reported Entity: CORONA REGIONAL MEDICAL CENTER
Issue:
Based on interview and document review, the facility failed to ensure their (PHI) Protected Health Information was not disclosed to any entity not authorized to receive the information. This failed practice resulted in unauthorized access to Patient A's demographic information, and medical records.Findings:On January 25, 2013, a visit was made to the facility to investigate a self-reported breach of PHI (protected health information). A concurrent interview was conducted with the facility ' s Director of Health Information Management (DHIM), and Director of Diagnostic Imaging, on January 17, 2013, at 10:30 a.m. The DHIM stated the breach occurred on August 8, 2011. Three employees that were not authorized to review Patient A ' s Protected Health Information, looked at Patient A ' s MRI results. Patient A had suspected that her co-workers had looked at her medical records and asked the Director of Diagnostic Imaging to conduct an investigation. The Director of Diagnostic Imaging stated he reviewed who had accessed Patient A ' s medical records, and found that the three employees had looked at the MRI results. The Director of Diagnostic Imaging stated the three employees had no business looking at Patient A ' s medical records, and he reported the breach immediately to the Director of Health Information Management. The facility's policy and procedures titled, "Information Management," was reviewed. The policy indicated the hospital was, "Committed to make reasonable efforts to protect the privacy of patient's health information, and to comply with all applicable federal and state laws that protect the privacy and security of patient health information..." The facility's policy and procedures titled, "PHI - Privacy Breach," was reviewed. The policy indicated, "All members of the workforce recognize that any compromise of the security or privacy of protected health information will be dealt with equally among all workers ...It is the policy of [name of hospital] to not tolerate any intent breach of a privacy or security of patient's protected health information...The facility failed to ensure Patient A's Protected Health Information was not disclosed to any entity not authorized to receive the information.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280