Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 4, 2013. Also cited in 62 other reports.
Report ID: TNXN11, California Department of Public Health
Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER
Issue:
Based on staff interview and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's medical information was mailed to an unauthorized recipient. (refer to CA00357019)2. Patient 2's PHI was given to an unauthorized individual. (refer to CA00356816)3. Patient 3's PHI was accessed by an unauthorized individual. (refer to CA00355129)These failures resulted in not protecting the PHI for Patient's 1, 2 and 3 and had the potential for unauthorized use. Findings: Refer to CA003570191. On 6/11/13 at 1:08 p.m., during an interview, the Privacy Officer (PO) stated Patient 1's PHI was entered into the information system incorrectly and five claims for hospital charges on 8/27/10, 2/22/11, 4/5/11, 3/28/11 and 5/24/11 were mailed with the wrong insurance coverage to the unauthorized recipient.Review of the medical record indicated the following information was mailed on 12/29/10, 3/8/11, 8/25/11, 7/5/11 and 6/7/11 to the unauthorized recipient: Patient name, date of birth, address, gender, account number, medical record number, dates of service and charges for five hospital visits. On 6/4/13 certified letter was mailed to the patient notifying her of the breach.The (Hospital) Policy and Procedure titled, HIPAA (Health Insurance Portability and Accountability Act)General Rules for the Use and Disclosure of PHI dated 4/18/12, III. Guidelines: A. Protected Health Information and Records indicated; 1."Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form. I. Accurate Information 1. It is the responsibility of all individuals who collect information from patients...medical record...to be as accurate and complete as possible." Refer to CA003568162. On 6/11/13 at 1:15 p.m., during an interview, the Privacy Officer (PO) stated on 5/22/13 Patient 2's PHI was breached when five bottles of formula intended for Patient 2 were given to an unauthorized recipient. Review of the medical record indicated the five bottles of formula were labeled with Patient 2's name, medical record number, account number and date of service. On 5/31/13 a certified letter was sent to Patient 2's parents regarding the breach. The (Hospital) Policy and Procedure titled, HIPAA General Rules for the Use and Disclosure of PHI dated 4/18/12, III. Guidelines: A. Protected Health Information and Records indicated: 1."Protected health information includes any information received, created or maintained by...in which the patient is...identified, regardless of whether the information is in oral, paper or electronic form. B. (Hospital) Privacy Policies and Procedures 2. It is the responsibility of all (Hospital) workforce members to comply with policies and procedures ...identify ... security breaches."Refer to CA003551293. On 6/11/13 at 1:30 p.m., during an interview, the Privacy Officer (PO) stated an unauthorized individual accessed Patient 3's PHI via hospital computer system. Review of the medical records indicated; Patient 3's PHI was accessed on 5/9/13 by the unauthorized individual at a doctor's office who had knowledge and access to the hospital information system. PHI included: patient name, address, date of birth, gender, medical record number, account number and clinical information. On 5/17/13 a certified letter was sent to Patient 3 notifying her of the breach.The (Hospital) Policy and Procedure titled, Confidentiality/Breach of Information dated 8/16/13 indicated; "... II. Policy Detail A. Confidentiality of Patient Information Protected health information is only to be accessed in relationship to employee's...assigned job duties, on a need to know basis. Accessing any patient information...for unauthorized purposes...is a breach of confidentiality."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights