Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 24, 2014. Also cited in 62 other reports.
Report ID: W5KX11, California Department of Public Health
Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER
Issue:
Based on staff interview, clinical record, and administrative document review, the facility failed to keep Protected Health Information (PHI) confidential when:1) A bill from a collection agency for Patient 1 was mailed to a government office on the hospital's behalf. (CA00367844)2) Discharge instructions for Patient 3 were given to Patient 4. (CA00364986)3) A list of treatment teams containing information for Patients 5, 6, 7, 8, 9, 10, 11, and 12 was left in Patient 13's room.(CA00369346)4) A face sheet belonging to Patient 14 was given to Patient 15. (CA00376108)5) Lab results and a billing statement for Patient 16 were sent to Patient 17, and to the wrong physician. (CA00380130) These failures resulted in unauthorized access to Patients 1, 3, 5, 7, 8, 9, 10, 11, 12, 14, and 16's PHI and the potential for abuse of the PHI.Findings:CA003678441) On 1/24/14 at 8:45 a.m., during an interview, the Privacy Officer (PO) stated that a government office received a billing statement for Patient 1 (P1). The PO stated that P1 entered the hospital under a procedure called "Rapid Check In", where no verification of demographics is needed. The PO states Hospital Staff failed to make sure all demographic information was up to date before P1 was discharged from the facility.The PHI breached included Patient 1's name and hospital account number.The Hospital's Policy and Procedure titled, "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/18/12 indicated, "Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form...it is the responsibility of all [Hospital] workforce members to comply with policies and procedures...identify...security breaches."CA003649862) On 1/24/14 at 8:57 a.m., during an interview, the PO stated Registered Nurse 1 (RN1) gave discharge paperwork for Patient 3 (P3) to Patient 4 (P4). The PO stated that RN1 failed to check the name on the paperwork, before giving it to P4.The PHI breached included Patient 3's name, medical record number, account number, and clinical information.The Hospital's Policy and Procedure titled, "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/18/12 indicated, "Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form...it is the responsibility of all [Hospital] workforce members to comply with policies and procedures...identify...security breaches."CA003693463) On 1/24/14 at 9:20 a.m., during an interview, the PO stated Certified Nursing Assistant 1 (CNA1) left a treatment team list for Patients 5, 6, 7, 8, 9, 10, 11, and 12 in Patient 13's room. This list was picked up and taken home by Patient 13 upon discharge. The PO stated CNA1 should not have set her paperwork down in a patient room.The PHI breached included Patient 5, 6, 7, 8, 9, 10, 11, and 12's name, age, and gender.The Hospital's Policy and Procedure titled, "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/18/12 indicated, "Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form...it is the responsibility of all [Hospital] workforce members to comply with policies and procedures...identify...security breaches."CA003761084) On 1/24/14 at 9:25 a.m., during an interview, the PO stated Registered Nurse 2 (RN2) gave a face sheet belonging to Patient 14 (P14) to Patient 15 (P15) at time of discharge. The PO stated that RN2 failed to check the name on the face sheet before giving it to P15.The PHI breached included Patient 14's name, date of birth, gender, address, insurance information, medical record number, account number, and clinical information.The Hospital's Policy and Procedure titled, "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/18/12 indicated, "Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form...it is the responsibility of all [Hospital] workforce members to comply with policies and procedures...identify...security breaches."CA003801305) On 1/24/14 at 9:30 a.m. during an interview, the PO stated Patient 16's (P16) lab results and billing statement were sent to Patient 17 (P17), and to a physician. PO stated that there were 2 patient's with the same name and the Lab Assistant failed to check the dates of birth on the paperwork before mailing it out.The PHI breached included Patient 16's name, date of birth, medical record number, and lab results.The Hospital's Policy and Procedure titled, "HIPAA General Rules for the Use and Disclosure of PHI" dated 4/18/12 indicated, "Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form...it is the responsibility of all [Hospital] workforce members to comply with policies and procedures...identify...security breaches."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights