RIVERSIDE COUNTY REGIONAL MEDICAL CENTER

Report ID: 839H11, California Department of Public Health

Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER

Issue:

Based on interview and document review, the facility failed to ensure their (PHI) Protected Health Information was not disclosed to any entity not authorized to receive the information. This failed practice resulted in unauthorized access to Patient A's demographic and medical information.Findings:On November 7, 2012, during a re-visit survey, the self reported breach was investigated.An interview was conducted with the Privacy Officer, on November 7, 2012, at 12:30 p.m. The Privacy Officer stated on July 9, 2012, she was notified Patient A's name, date of birth, medical record, and account number were inadvertently disclosed to the Medical Billing Office and Orthopedic Department. The orthopedic physician's returned the "Record of Operation" form with Patient A's name on to the medical records office because the Orthopedics Department never had Patient A as a patient. Patient B had surgery, but a staff member entered Patient A's demographic and account number's on Patient B's Record of Operation. An orthopedic physician discovered the error and reported the incident to the medical record's department.The facility's policy and procedure titled, "Breach of Patient Privacy", dated September 23, 2009, was reviewed. The policy indicated, "In compliance with (Health Information Portability and Accountability Act)HIPAA, reports or complaints revealing PHI should not be made to persons who do not need this information to do their jobs, and only the minimum necessary PHI can be used or disclosed by authorized persons to do their work in compliance with the minimum necessary access standards of HIPAA..."The facility failed to ensure Patient A's Protected Health Information was not disclosed to any entity not authorized to receive the information.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280