Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 12, 2013. Also cited in 62 other reports.
Report ID: IMSS11, California Department of Public Health
Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER
Issue:
Based on staff interview, clinical record, and administrative document review, the hospital failed to keep confidential protected health information (PHI) when:1. Patient 1's PHI was sent to the wrong payer.2. PHI for Patients 2 and 3 was sent to the wrong payer.3. MD 1 accessed Patient 4's PHI without the need to know.4. Patient 5's prescription sheet was given to Patient 6.5. Patient 7's PHI was sent to the wrong payer.6. Patient 8's PHI was sent to the wrong payer.These failures placed patients' PHI at risk for unauthorized use.Findings:The following referred to CA00341677:1. On 7/12/13 at 2:46 p.m., during an interview, Administrative Staff (Adm Staff) 1 stated Staff 1 faxed Patient 1's clinical record to the wrong payer. Adm Staff 1 stated that during the process of faxing the clinical record, Staff 1 selected the wrong payer. Adm Staff 1 stated, "The receiving facility called to inform us."The PHI which was sent to the wrong payer contained Patient 1's name, date of birth, medical record number, and list of diagnoses, procedures, and charges.The hospital's policy and procedure titled "HIPAA [Health Information Portability and Accountability Act] General rules for the use and disclosure of PHI [Protected Health Information]," dated 4/18/12, Section III titled, "Policy," read, "A. It is the policy of (the hospital) to protect the privacy and security of patient information and to comply with applicable laws and regulations."The following referred to CA00337086:2. On 12/20/12 at 4:15 p.m., the department received a letter from the hospital that indicated Patient 2 and Patient 3's clinical records were sent to the wrong payers by Staff 1. On 7/12/13 at 3:55 p.m., during an interview, Administrative Staff (Adm Staff) 1 stated that Patient 2's clinical record was sent electronically to the wrong insurance payer. Admin Staff 1 stated the recipient of Patient 2's PHI informed the hospital of the alleged breach.The PHI for Patient 2 that was sent to the wrong recipient contained contained name, date of birth, medical record number, diagnoses, and history/physical, and discharge summary.On 7/12/13 at 4:25 p.m., during an interview, Admin Staff 1 stated that the utilization coordinator sent Patient 3's PHI to the wrong insurance payer. The insurance payer notified the hospital of the possible breach. The PHI for Patient 3 contained name, date of birth, medical record number, diagnoses, and history/physical.The hospital's policy and procedure titled "HIPAA [Health Information Portability and Accountability Act] General rules for the use and disclosure of PHI [Protected Health Information]," dated 4/18/12, Section III titled, "Policy," read, "A. It is the policy of (the hospital) to protect the privacy and security of patient information and to comply with applicable laws and regulations."The following referred to CA00339967:3. On 7/12/13 at 3:12 p.m., during an interview, Administrative Staff (Adm Staff) 1 stated MD 1 accessed Patient 4's electronic medical record on 1/7/13 without a business need to know. Adm Staff 1 indicated that MD 1 was on staff in the hospital and that MD 1 was Patient 1's uncle. Adm Staff 1 stated, "Health Information Management received complaint that indicated MD 1 had breached Patient 4's Protected Health Information. Audit report findings indicated MD 1 accessed the patient's information without a business need to know."Review of faxed report from the hospital to the department indicated, "The protected health information accessed included name, address, date of birth, gender, medical record number, account number and clinical information." The hospital's policy and procedure titled "HIPAA [Health Information Portability and Accountability Act] General rules for the use and disclosure of PHI [Protected Health Information]," dated 4/18/12, Section III titled, "Policy," read, "A. It is the policy of (the hospital) to protect the privacy and security of patient information and to comply with applicable laws and regulations."The following referred to CA00339433:4. On 7/12/13 at 3:25 p.m., during an interview, Administrative Staff (Adm Staff) 1 stated Patient 5's prescription was given to Patient 6 in error by RN 1 in the emergency department. The report sent to the department on 1/14/13 indicated, the prescription dated 1/7/13 contained name, date of birth, and medications prescribed.The hospital's policy and procedure titled "HIPAA [Health Information Portability and Accountability Act] General rules for the use and disclosure of PHI [Protected Health Information]," dated 4/18/12, Section III titled, "Policy," read, "A. It is the policy of (the hospital) to protect the privacy and security of patient information and to comply with applicable laws and regulations." The following referred to CA00339142:5. On 7/12/13 at 3:36 p.m., during an interview, Administrative Staff (Adm Staff) 1 stated that the Financial Services Department updated Patient 7's information incorrectly and put the wrong financial health insurance payer. Adm Staff 1 indicated the PHI for Patient 7 was sent to the wrong payer. The recipient notified the hospital of the alleged breach. The PHI for Patient 7 contained name, date of birth, medical record number, social security number, medical tests performed and Patient 1's home address.The hospital's policy and procedure titled "HIPAA [Health Information Portability and Accountability Act] General rules for the use and disclosure of PHI [Protected Health Information]," dated 4/18/12, Section III titled, "Policy," read, "A. It is the policy of (the hospital) to protect the privacy and security of patient information and to comply with applicable laws and regulations."The following referred to CA00335145:6. On 7/12/13 at 3:36 p.m., during an interview, Administrative Staff (Adm Staff) 1 stated that the Financial Services Department updated Patient 8's information incorrectly and put the wrong financial payer. Adm Staff 1 stated the PHI for Patient 8 went to the wrong payer. The recipient notified the hospital of the alleged breach. The PHI for Patient 8 contained name, date of birth, medical record number, social security number, medical tests performed and Patient 1's home address.The hospital's policy and procedure titled "HIPAA [Health Information Portability and Accountability Act] General rules for the use and disclosure of PHI [Protected Health Information]," dated 4/18/12, Section III titled, "Policy," read, "A. It is the policy of (the hospital) to protect the privacy and security of patient information and to comply with applicable laws and regulations."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights