Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 5, 2015. Also cited in 46 other reports.
Report ID: 4DWQ11.01, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
Based on interview and record review, the facility failed to ensure the confidentiality of protected health information (PHI) when a contracted registry nurse, (Employee 1) released discharge instructions for Patient A to Patient B during discharge from the Emergency Department (ED) on May 29, 2014. This failure resulted in a breach of Patient A's PHI to Patient B without authorization. Findings:During a phone interview with the Facility Privacy Officer (FPO), on March 5, 2015 from 3:15 PM, the FPO stated the facility learned of the breach when Patient B returned on the same day, (May 29, 2014) with the discharge paperwork. When asked how the FPO identified the employee, she stated, "It was a registry nurse (Employee 1)." When asked how the HIPAA breach occurred, the FPO stated, "Our procedure is to check their name and medical record number on any paperwork against their name, medical record number on the armband and verify it verbally with the patient. Employee 1 did not follow our procedures for discharge." During a follow-up phone interview with the FPO, on March 25, 2015 at 3:25 PM, when asked how Employee 1, would have known the discharge process for the ED, she stated all travelers and registry nurses receive a unit orientation by their preceptor and would have been taught the discharge process on the unit.A record review conducted on March 5, 2015 at 4:00 PM, of Patient A's face sheet, discharge instructions, and prescription as well as Patient B's face sheet was conducted. Both patient's first names and gender are similar but each patient had a different last name and medical record number as indicated on the face sheets. The discharge instructions and prescription belonged to Patient A based on name and medical record number. A record review conducted on March 5, 2015 at 4:00 PM indicated the registry nurse, Employee 1, received training on the privacy of patients and the unauthorized disclosure of information on May 16, 2014 prior to the date of the Health Insurance Portability and Accountability Act (HIPAA) breach on May 29, 2014. The facility policy and procedure, dated August 2012, titled, "Protected Health Information (PHI), Transfer of " in Section 4.0 indicates, "The first staff member will verify that all documents belong to the correct patient and do not contain any other patient's information. The second staff member will independently verify that the documents belong to the correct patient and do not contain any other patient's information."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights