Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 6, 2014. Also cited in 46 other reports.
Report ID: X13O11, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
Based on interview, and record review, the facility failed to ensure the confidential treatment of protected health information (PHI), when Patient B was inadvertently provided discharge instructions that contained the name of another patient (Patient A) upon discharge. This resulted in a breach of PHI for Patient A.Findings:On August 6, 2014 at 2:00 PM, a phone interview was conducted with the Facility Privacy Officer (FPO), to investigate an entity reported incident of a breach of PHI for Patient A. The FPO stated, "On September 16, 2014, a licensed vocational nurse (LVN 1) was preparing discharge instructions for Patient B. LVN 1 inadvertently chose the electronic health record (EHR) for Patient A, LVN 1 completed discharge instructions (DCI) for Patient B on Patient A ' s EHR in error. LVN 1 printed the DCI with Patient A ' s name on it and stapled a prescription to the top of the DCI for Patient B and RN 1 discharged Patient B without verifying that the name on the DCI was Patient B ' s." The FPO further stated, "Patient B ' s mother called the facility on August 17, 2013, and informed RN 1, that the DCI she had received for her son (Patient B) on August 16, 2013, had another patient's name (Patient A). The information in the body of the DCI was information for Patient B, but the patient information posted at the top of the DCI, contained the name and PHI for Patient A."A review of the patient information posted at the top of the DCI given to Patient B on August 16, 2013, included: Patient A's name, age, gender, date of admission, physician name, account number , unit number, location and room/bed number.A review of the facility policy and procedure titled, "Corrective Process for Breach of Patient Privacy or Confidentiality", dated May 3, 2013, indicated:"Procedures:""A. Breaches in confidentiality or patient privacy are divided into three (3) levels with a corresponding corrective action for each level of breach.""1. Level 1, Carelessness: This level of breach occurs when a (facility name) employee unintentionally or carelessly uses, accesses, reviews, discloses or reveals PHI without a legitimate business reason or a failure to reasonably safeguard information."The failure of RN 1, to not verify that the name on the DCI given to Patient B at time of discharge was Patient B ' s, resulted in a breach of PHI for Patient A.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights