Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 21, 2015. Also cited in 46 other reports.
Report ID: ICDQ11.01, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for Patient A when an admitting representative (Employee 1) filled out and faxed a 24 hour notice form for [County 2] which was not the intended recipient when admitting Patient A to the facility. This resulted in a Health Insurance Acccountability Act (HIPAA) breach to [County 2] instead of the [County 1].Findings:During an interview with Employee 1, on April 24, 2015 at 2:00 PM, she was asked how the [HIPAA] breach occurred, Employee 1 stated, "When I pulled out the wrong form and I did not notice it was [County 2] fax form that I was filling out." When Employee 1 was asked how the form was faxed to [County 1], she stated, ". . .[I] manually enter it each time. . . and when asked about the facility policy and procedure for sending faxes, she stated, "We use a buddy system . . . a co-worker verifies it before we send it." When asked if a co-worker verified the fax number prior to faxing, she stated, "Yes."During an interview with the Admitting Department Supervisor, on April 24, 2015 at 2:20 PM, when asked how the breach was detected, she stated, "The next morning the financial counselors verify every patient that is admitted. So, they go through the paperwork and they verified that the fax cover sheet and county code did not match." When she was asked when the breach was detected, she stated, "If it was a weekend [when the breach occurred] they would have checked it the first day after the weekend. Otherwise Employee 1 works nights, it would be the next day."A record review of the facility's documents included the transmission verification report dated August, 16, 2014, the facsimile cover sheet dated August 16, 2014 and the 24- Hour Notification [County 2], these three (3) breached documents indicated Patient A's name, date of birth, age, medical record number, ethnicity, maritial status, gender, social security number, insurance [provider] number, address, phone, reason for admission, treating physician and diagnosis.A record review of the facility's policy and procedure titled, "Safeguarding PHI and Sensitive Information", dated January 17, 2012, indicated, "When manually entering a fax number, visually verify the correct fax number is being entered before sending."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights