Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CORONA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 21, 2013. Also cited in 19 other reports.
Report ID: 52J511, California Department of Public Health
Reported Entity: CORONA REGIONAL MEDICAL CENTER
Issue:
Based on interview and document review, the facility failed to ensure their (PHI) Protected Health Information was not disclosed to any entity not authorized to receive the information. This failed practice resulted in unauthorized access to Patient A's demographic information, and medical records.Findings:An interview was conducted with the facility's Director of Health Information Management (DHIM), on February 21, 2013, at 1 p.m. The DHIM stated the breach occurred on February 11, 2013.The DHIM stated the front desk employee from medical records received a call from a home health agency requesting Patient A's medical records on behalf of the patient. The breach occurred when the front desk employee dialed the wrong fax number. The front desk employee pressed the wrong fax number and as a result Patient A's medical records were sent to a retail store. The manager at the retail store called the hospital and notified them about receiving the medical record for Patient A. Approximately 28 copies, including lab results, EKG results, radiology reports, physician reports, admitting reports, and discharge paperwork were faxed over to the retail store in error. The DHIM stated it was the hospital's policy to verify on the fax machine screen that the number is correct prior to sending the information via fax. The DHIM stated the employee skipped that step and failed to verify the fax number was correct prior to sending it. If the employee would have looked at the screen to ensure the fax number was correct, the employee could have prevented the breach of Protected Health Information from occurring. The facility's policy and procedures titled, "Information Management," was reviewed. The policy indicated the hospital was, "Committed to make reasonable efforts to protect the privacy of patient's health information, and to comply with all applicable federal and state laws that protect the privacy and security of patient health information..." The facility's policy and procedures titled, "Hospital Fax Policy and Procedure," was reviewed. The policy indicated, "After keying- in the fax number in the fax machine, and before sending the fax, the sender should validate the fax number on the screen against the hand written on for accuracy..." The facility failed to ensure Patient A's Protected Health Information was not disclosed to any entity not authorized to receive the information.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280