Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COMMUNITY HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 7, 2012. Also cited in 64 other reports.
Report ID: CPHG11, California Department of Public Health
Reported Entity: RIVERSIDE COMMUNITY HOSPITAL
Issue:
Based on interview and record review, the facility failed to ensure Patient A's health information was kept protected, by failing to ensure documents sent via facsimile were sent to the correct number. Patient A's confidential information was sent via facsimile to a private home on February 16, 2012, by Staff 1. This resulted in the unauthorized disclosure of Patient A's protected health information.Findings:On February 24, 2012, the facility notified the Department about a suspected unauthorized disclosure of a patient's protected health informationDuring an interview with the facility Privacy Officer, on May 7, 2012, at 1 p.m., the Privacy Officer stated: a. On February 16, 2012, Patient A's "Patient Information Form," "History and Physical," and "CT Report," were faxed to a private facsimile number by Staff 1. The information was intended to be faxed to a home health agency. b. On February 17, 2012, the Privacy Officer was notified by the recipient of the information about the misdirected fax. c. The investigation revealed, Staff 1 had intended to fax the document to a home health agency, when she dialed one wrong number. d. The misdirected fax was due to human error, not a system problem.On May 7, 2012, the documents sent to the unintended recipient were reviewed. Information included in the misdirected fax were Patient A's name, gender, address, medical record number, social security number, date of birth, admission date, address, telephone number, emergency contact information, telephone numbers, health insurance information, and diagnosis. Patient A was informed of the disclosure by letter dated and mailed on February 24, 2012, to Patient A's last known address.The facility policy and procedure titled "Safeguarding Protected Health Information," with an effective date of November 2011 was reviewed on May 7, 2012. The policy indicated its purpose was facilitate compliance with HIPAA standards for privacy in individually identifiable health information. The policy indicated the following procedures:A. When faxing PHI, workforce members should take the appropriate safeguards:4. Verify the fax number before sending.6. Double check the fax number entered before sending.7. Set the fax machine to print an auto-confirmation page, if available, and check confirmation page to ensure:i. Delivery was successful, and ii Correct fax number was dialed.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280