Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 4, 2014. Also cited in 62 other reports.
Report ID: 9EOJ11, California Department of Public Health
Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER
Issue:
Based on interview, clinical record and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential for Patient's 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,18,19, 20, 21, 22, 23, 24 and 25 when PHI was mailed to Recipients 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,18,19, 20, 21, 22, 23, 24 and 25 without authorization.This failure resulted in the breach of patients PHI and the possible unauthorized use. Findings:On 12/23/14 at 9:50 a.m., during an interview, the Privacy Officer (PO) stated on 10/6/14 when financial statements were printed out for Recipients 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,18,19, 20, 21, 22, 23, 24 and 25 by a Business Associate third party biller, an extra line was added to the statement. The extra line caused all subsequent statements to have a salutation and a letter which contained Patient's 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,18,19, 20, 21, 22, 23, 24 and 25's PHI. The financial statements were mailed to Recipients 1 through 25 on 10/6/14. The breach was discovered on 10/15/14.For Patient 1: Review of the financial statement indicated Patient 1's PHI was mailed to Recipient 1 on 10/6/14. The PHI included: Patient 1's name and financial liability.For Patient 2: Review of the financial statement indicated Patient 2's PHI was mailed to Recipient 2 on 10/6/14: The PHI included: Patient 2's name, and an account past due notice.For Patient 3: Review of the financial statement indicated Patient 3's PHI was mailed to Recipient 3 on 10/6/14. The PHI included: Patient 3's name and financial liability.For Patient 4: Review of the financial statement indicated Patient 4's PHI was mailed to Recipient 4 on 10/6/14. The PHI included: Patient 4's name, and an account past due notice.For Patient 5: Review of the financial statement indicated Patient 5's PHI was mailed to Recipient 5 10/6/14. The PHI included: Patient 5's name, and notice for additional insurance information. For Patient 6: Review of the financial statement indicated Patient 6's PHI was mailed to Recipient 6 on 10/6/14. The PHI included: Patient 6's name. For Patient 7: Review of the financial statement indicated Patient 7's PHI was mailed to Recipient 7 on 10/6/14. The PHI included: Patient 7's name. For Patient 8: Review of the financial statement indicated Patient 8's PHI was mailed to Recipient 8 on 10/6/14. The PHI included: Patient 8's name and financial liability.For Patient 9: Review of the financial statement indicated Patient 9's PHI was mailed to Recipient 9 on 10/6/14. The PHI included: Patient 9's name. For Patient 10: Review of the financial statement indicated Patient 10's PHI was mailed to Recipient 10 on 10/6/14. The PHI included: Patient 10's name and insurance denial.For Patient 11: Review of the financial statement indicated Patient 11's PHI was mailed to Recipient 11 on 10/6/14. The PHI included: Patient 11's name, and an account past due notice.For Patient 12: Review of the financial statement indicated Patient 12's PHI was mailed to Recipient 12 on 10/6/14. The PHI included: Patient 12's name, and notice for additional insurance information.For Patient 13: Review of the financial statement indicated Patient 13's PHI was mailed to Recipient 13 on 10/6/14. The PHI included: Patient 13's name and financial liability.For Patient 14: Review of the financial statement indicated Patient 14's PHI was mailed to Recipient 14 on 10/6/14. The PHI included: Patient 14's name and financial liability.For Patient 15: Review of the financial statement indicated Patient 15's PHI was mailed to Recipient 15 on 10/6/14. The PHI included: Patient 15's name and confirmation of a monthly payment arrangement.For Patient 16: Review of the financial statement indicated Patient 16's PHI was mailed to Recipient 16 on 10/6/14. The PHI included: Patient 16's name, and an account past due notice.For Patient 17: Review of the financial statement indicated Patient 17's PHI was mailed to Recipient 17 on 10/6/14. The PHI included: Patient 17's name and financial liability.For Patient 18: Review of the financial statement indicated Patient 18's PHI was mailed to Recipient 18 on 10/6/14. The PHI included: Patient 18's name, and an account past due notice..For Patient 19: Review of the financial statement indicated Patient 19's PHI was mailed to Recipient 19 on 10/6/14. The PHI included: Patient 19's name and financial liability.For Patient 20: Review of the financial statement indicated Patient 20's PHI was mailed to Recipient 20 on 10/6/14. The PHI included: Patient 20's name, and an account past due notice. For Patient 21: Review of the financial statement indicated Patient 21's PHI was mailed to Recipient 21 on 10/6/14. The PHI included: Patient 21's name, and an account past due notice.For Patient 22: Review of the financial statement indicated Patient 22's PHI was mailed to Recipient 22 on 10/6/14. The PHI included: Patient 22's name and financial liability.For Patient 23: Review of the financial statement indicated Patient 23's PHI was mailed to Recipient 23 on 10/6/14. The PHI included: Patient 23's name, and an account past due notice..For Patient 24: Review of the financial statement indicated Patient 24's PHI was mailed to Recipient 24 10/6/14. The PHI included: Patient 24's name, and notice for additional insurance information.For Patient 25: Review of the financial statement indicated Patient 25's PHI was mailed to Recipient 25 on 10/6/14. The PHI included: Patient 25's name and financial liability.The hospital policy and procedure titled, "HIPAA Business Associate Agreement" dated 12/22/14, indicated "I. Purpose: ... recognizes its obligation to preserve and protect the confidentiality and privacy of the individually identifiable health information of its patients under federal and California law. As part of its business, ... discloses such information to business Associates who perform various functions and or activities on behalf of the ... II. Definitions: A. Business Associate (BA): a person, entity or subcontractor of the business associate that, in the course of performing a function or service on behalf of ... creates, receives, maintains or transmits PHI for a function or activity regulated by HIPAA. Such services include, ..., billing ... IV. Guidelines: C. Action Upon Breach Of Business Associate Agreement: 2. As provided in the Business Associates Agreement/provisions, if ... becomes aware of a breach by the Business Associate of its obligations with respect to Protected Health Information, ... must determine whether there are feasible steps that the Business Associate may take to cure the breach."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights