Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 21, 2013. Also cited in 123 other reports.
Report ID: CP0L11.02, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and document review, the facility failed to ensure the California Department of Public Health was notified within five days after the unauthorized disclosure of Patient B's protected health information (PHI) was detected. Patient B's full name, date of birth, medical consents, diagnoses, medication lists, location of admission, dates hospitalized, and treatment information was disclosed to Patient A on September 14, 2013. The facility detected the unauthorized access of Patient B's medical information on September 14, 2013, and notified the Department on September 24, 2013, ten days later, and four days after the mandated timeframe for the facility to report the event.Findings:On October 21, 2013, a facility self-reported breach of Protected Health Information for Patient B was investigated. On October 21, 2013, at 9 a.m., an interview was conducted with the Compliance Officer. The Compliance Officer stated the breach occurred on September 14, 2013. The breach occurred after the patient was discharged from the facility and given a ride home on the transportation van. Patient A left an envelope containing copies of her medical records on the transportation van. When Patient A realized that she forgot her medical records on the van, she notified the facility by phone. A facility staff member notified the van driver, and the van driver went back to Patient A's house to drop off her medical records. The envelope contained Patient B's medical records. The envelope contained approximately 15 pages of Patient B's medical records, including consents, diagnoses, list of psychiatric medications prescribed, location of admission, date of birth, dates hospitalized, and information about Patient B's treatments. Patient A placed a second call to the facility to report she had received Patient B's medical records.A record review indicated the incident occurred September 14, 2013, and staff was aware of the incident the same day. The Department was notified about the breach on September 24, 2013, ten days later, four days after the mandated five business day reporting period. The facility policy and procedure titled, "Breach of Patient Privacy: Reporting Requirements," was reviewed. The policy indicated, "The violation will be reported to the patient and State within no more than (5) calendar days from identification of the unlawful or unauthorized access to, or use or disclosure of the patient's medical information..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280