Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COMMUNITY HOSPITAL
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 18, 2014. Also cited in 64 other reports.
Report ID: 0CBJ11.03, California Department of Public Health
Reported Entity: RIVERSIDE COMMUNITY HOSPITAL
Issue:
Based on interview and record review, the facility failed to report, no later than five days, five incidents of unauthorized access to protected health information (PHI), to the affected individuals (Patients A, B, C, D, and E). The facility's corporate office became aware of the unauthorized access of PHI on January 24, 2014, and did not report it to Patients A, B, C, D, and E until March 12, 2014, 51 days later and 44 days after the mandated timeframe for the facility to report these incidents.Findings:On March 12, 2014, the California Department of Public Health received a letter from the facility indicating several patients' protected health information was disclosed without authorization. The letter indicated information disclosed included Patient A, B, C, D, and E's demographic information. On March 18, 2014, at 9:30 a.m., the Facility Privacy Officer was interviewed. The PO stated the facility's main corporate office became aware of the breach on January 20, 2014, when an unknown person delivered a box containing a large number of documents to another corporate hospital. The PO stated the corporation wanted the patient letters to be sent by the patients' local facility. The PO stated she was informed on March 6, 2014, and she did not know why there was a delay in her notification, as February 7, 2014, was identified as the date the breach was confirmed by the corporate counsel. The letters sent to each of the five patients were reviewed on March 18, 2014. Each of the five letters had a mailing date of March 12, 2014. The letters indicated, "We are writing to inform you that we discovered on February 7, 2014, your personal information contained in your records at Riverside Community Hospital may have been advertently disclosed to another patient." The facility policy and procedure titled "Protected Health Information Breach Notification," with an effective date of October 12, 2009, was reviewed. The policy indicated: "Any Company-affiliated facility in the case of a breach of unsecured PHI, must notify the patient or their personal representative without reasonable delay and in no case later than 60 days of discovering the breach." The policy continues: "A breach is considered discovered as of the first day on which the breach is known by the business associate and/or the facility." According to the policy a breach is the unauthorized acquisition, access, use, or disclosure of unsecured, unencrypted PHI. The policy and procedure titled "Safeguarding Protected Health Information," with an effective date of November 1, 2012, indicated "States may have separate laws that may apply additional legal requirements."The facility failed to notify the patients no later than five days after the disclosure had been detected. A corporate hospital had detected the breach on January 20, 2014, but the facility did not notify the department until March 12, 2014, 51 days later and 44 days after the mandated timeframe for the facility to report this disclosure.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280