Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 29, 2014. Also cited in 123 other reports.
Report ID: EZ1O11, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent unauthorized disclosure of protected health information (PHI) for one patient (Patient 1) when she was registered using the incorrect insurance information, and case managers faxed clinical and demographic information to the incorrect insurance company multiple times. This failed practice resulted in the potential for a breach in infant security, and physical harm to Patient 1, as well as physical, emotional, and financial harm to her mother and other family members.Findings:During an interview with the facility Privacy Officer (PO) on July 30, 2014, at 10:15 a.m., the PO stated Patient 1 seen as a patient in the Emergency Department (ED), then transferred to the inpatient area on July 4, 2014. The PO stated during the registration, the correct demographics information was entered into the computer system for Patient 1, but the insurance information for a different patient (Patient 2) was entered. She stated this error resulted in case managers faxing demographic and clinical information to the insurance company listed in the system on a daily basis to authorize continued care in the facility.The record for Patient 1 was reviewed on July 30, 2014. Patient 1, a female infant, was seen admitted to the facility on July 4, 2014, with diagnoses that included fever of unknown origin and rule out meningitis. The record indicated she was seen by a case manager each day, and each day a request for authorization of a continued stay at the facility was faxed to the insurance company that was listed in the computer system. The documents that were faxed to the insurance company included the following PHI for Patient 1:1. July 5, 2014;a. Name;b. Age;c. Date of birth;d. Sex;e. Race;f. Date of admission;g. Home address;h. Social security number;i. Mother's name;j. Mother's address;k. Mother's telephone number;l. Mother's date of birth;m. Mother's social security number;n. Location in hospital;o. Account number;p. Medical record number;q. Family information including who lives in the home, and sex and ages of her siblings; and,r. Clinical information including diagnosis, symptoms, medications, laboratory values, and progress toward healthcare goals;2. July 6, 2014, a. Name;b. Age;c. Date of birth;d. Sex;e. Date of admission;f Account number;g. Medical record number; andh. An update on her clinical status including diagnosis, symptoms, medications, laboratory values, and progress toward healthcare goals;3. July 9, 2014;a. Name;b. Age;c. Date of birth;d. Sex;e. Date of admission;f Account number;g. Medical record number; andh. An update on her clinical status including diagnosis, symptoms, medications, laboratory values, and progress toward healthcare goals with a projected discharge date; and,July 11, 2014;a. Name;b. Age;c. Date of birth;d. Sex;e. Date of admission;f Account number;g. Medical record number; andh. An update on her clinical status including diagnosis, symptoms, medications, laboratory values, and progress toward healthcare goals including a projected discharge date.Failure of the case management staff to verify they were providing PHI to the correct entity resulted in access to Patient 1's PHI by persons unauthorized to have it, and the potential for harm to her and her family members.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280