Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
REDLANDS COMMUNITY HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 20, 2015. Also cited in 9 other reports.
Report ID: B17O11, California Department of Public Health
Reported Entity: REDLANDS COMMUNITY HOSPITAL
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI) when a radiology scheduler (Employee 1) filled out a hospital form using Patient B's address. The radiology department generated a Magnetic Resonance Imaging (MRI) report using Patient B's address instead of Patient A's physician's business address. This resulted in a Health Insurance Portability and Accountability Act (HIPAA) breach of Patient A's PHI to Patient B.Findings:During a phone interview with the Privacy Officer on May 18, 2015 at 1:40 PM, the Privacy Officer stated the facility learned of the breach on February 18, 2015, when Patient B contacted the hospital to report receiving mail intended for Patient A's physician.During a interview with Employee 1 on May 22, 2015 at 10:45 AM, Employee 1 stated she filled in Patient B's address instead of the Patient A's physician's address when filling out the Non-Staff Credentialing Verification form. When asked if she mailed or stuffed the envelope, Employee 1 stated, "No that is done in a different department." When asked what department stuffs and mails the letters, Employee 1 stated, "The film room department stuffs the envelope and generates the form that is sent out."During a interview with the Radiology Department Manager (RDM) on August 13, 2015 at 2:29 PM, the RDM stated the following process for generating a MRI report: Once the non-staff physician is entered into the automated computer system by the medical staff, the radiology department schedules the procedure. After the procedure, the radiologist dictates the MRI report and electronically signs the report which causes the automated system to print the report from the information entered into the automated system. The printed report was sent to the file room staff to sort and mail out the report to the physician who ordered the procedure. The RDM stated there was not a process in place to verify the physician's address because the radiology department assumed the physician's address entered by the medical staff into the automated system was correct. The RDM stated Patient B's address was written on the script by the physician's office and the employee involved in the breach was identified by the name and phone number extension written on the top of the Non-Staff Credentialing Verification form.A record review of the non-staff physician's script, dated January 28, 2015, showed an order for MRI of the lumbar spine (lower back) without contrast (a type of dye used for an MRI) to diagnose left radiculopathy (nerve pain). This script was the source document for Patient A obtaining services from the hospital. The non-staff physician's business address is printed on the top of the script. Next to the physician's pre-printed address on the script was Patient B's address. A record review of the facility's form titled, "[name of hospital] Non-Staff Credentialing Verification", dated February 2, 2015, indicated Patient B's home address instead of the non-staff physician's business address. This second document was the form completed by Employee 1. Employee 1's name and phone number extension was written at the top of the form.A record review of the breached document, Patient A's MRI report, dated February 10, 2015, indicated Patient B's home address instead of the non-staff physician's business office under the name of the non-staff physician, [name of hospital], Patient A's name, date of birth, account number, gender, exam date, medical record number, type of exam, clinical history, and findings. A review of the facility's policy and procedure titled, "Accepting Orders from Non-Staff Licensed Independent Practitioners (LIPs) and Allied Health Practitioners (AHP), undated, under Procedure: B. 3. If the Practitioner is not listed in the Provider Dictionary, confirm the following information on the Non-Staff Credentialing Verification form: . . . e) the Practitioner's street address, city, state, and zip code; and . . . ."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights