Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
KAISER FOUNDATION HOSPITAL - RIVERSIDE
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 5, 2012. Also cited in 25 other reports.
Report ID: SB2611.02, California Department of Public Health
Reported Entity: KAISER FOUNDATION HOSPITAL, RIVERSIDE
Issue:
Based on interview and record review, the facility failed to report the unauthorized access and/or disclosure of Patient A's PHI to the affected patient (Patient A), no later than five business days after it had been detected by the facility, which was on November 11, 2011. The facility had written a notification letter of the unauthorized disclosure of Patient A's PHI, dated November 22, 2011(seven business days after it had been detected).Findings:On January 5, 2012, at 10:10 a.m., an investigation was conducted for an entity reported incident. On January 5, 2012, at 10:15 a.m., Patient A's records and facility documents were reviewed with the DRCO and the DRA. The DRCO stated a facility staff (Biller 1) sent Patient B a "Courtesy Statement." The DRCO stated Biller 1 inadvertently mailed and sent Patient A's "Courtesy Statement" with Patient B's record. Patient B returned Patient A's "Courtesy Statement" to the facility.Patient A's "Courtesy Statement" was reviewed and included the patient's name, address, hospital account number, medical record number, admit and discharge dates, and diagnosis codes.On January 5, 2012, at 11:25 a.m., MB was interviewed and stated Biller 1 worked on both Patient A and B's "Courtesy Statements." The MB stated, "Biller 1 was multi-tasking." On January 5, 2012, at 11:30 a.m., the notification letter of the unauthorized disclosure of medical information, sent to Patient A, was reviewed with the DRA. The DRA stated the letter was dated and sent to Patient A on November 22, 2011 (seven business days after the unauthorized disclosure was detected). The DRA stated facility staff had attempted to call Patient A, but was unable to reach the patient. The DRA was unable to provide documented evidence when the phone call attempts were made.The facility policy titled, "Notification Regarding Breaches of Protected Health Information," revised September 2010, was reviewed and indicated the following:"Protected Health Information (PHI) - Individually identifiable health information including demographic information...created or obtained by a covered entity that is related to an Individual's past, present, or future physical or mental health or condition, including the provision of his/her health care..." The policy further indicated, "...Individually identifiable means that the information either identifies the Individual or there is a reasonable basis to believe that the information can be used to identify the Individual, such as name, address...other personal identifiers..."The policy further indicated, "A Licensee must also notify the affected patient (or, as applicable, the patient's representative) at the last known address, no later than 5 business days after the Licensee detects the unlawful or unauthorized access to, or use or disclosure of, the patient's medical information..."
Outcome:
Deficiency cited by the California Department of Public Health: Medical Breach