Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 8, 2014. Also cited in 62 other reports.
Report ID: 66V011, California Department of Public Health
Reported Entity: COMMUNITY REGIONAL MEDICAL CENTER
Issue:
Based on staff interview and administrative document review, the hospital failed to keep Protected Health Information (PHI) confidential when:1. Patient 1's medical information was accessed and copied from a Physician's office without permission. (refer to CA00369483).2. Patient 2's medical information was given to Patient 3 on discharge. (refer to CA00368823).3. Patient 4's billing statement was mailed to Patient 5 in error. (refer to CA00368324).4. Patient 6 identified bulletin board in ER that displayed Patient 7's personal information. (refer to CA00368326).This failure resulted in unauthorized access to Patients 1, 2,4, and 7's PHI and the potential for abuse of that information.Findings:Refer to CA00369483.1. On 01/08/2014 at 9 a.m., during an interview, Privacy Officer (PO) stated on 09/06/2013 Patient 1's medical record in the Epic Care Link (electronic medical record system) had been flagged for monitoring. The staff in the physician's office accessed Patient 1's medical record inappropriately. The system prompted the individual that they were entering a restricted area. The system warns you that you are "Breaking the glass" if you continue. Staff 1 in the physician's office ignored the security warnings and printed out copies of the flagged chart, which she should not have done.Patient 1's PHI breached included name, date of birth, gender, medical record number and clinical information related to hospitalizations at the hospital on 08/19/11. The hospital's policy and procedure titled "HIPAA General Rules for the use and Disclosure of PHI", dated 04/18/12, indicated "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which includes employee, trainees, students, volunteers, and other designated persons."Refer to CA00368823.2. On 01/08/2014 at 9:10 a.m., during an interview, the PO stated that on 08/13/2013, Patient 3 was discharged home with information for Patient 2. Patient 3 received the face sheet and history and physical records for Patient 2. Staff should have verified and confirmed the correct patient's name and address before discharging Patient 3 with Patient 2's information, but this was not done.Patient 2's PHI breached included name, address, date of birth, gender, medical record number, account number, insurance information, social security number and clinical information related to her hospitalization on 08/29/2013.The hospital's policy and procedure titled "HIPAA General Rules for the use and Disclosure of PHI", dated 04/18/12 indicated "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which includes employee, trainees, students, volunteers, and other designated persons."Refer to CA00368324.3. On 01/08/2014 at 9:20 a.m., during an interview, the PO stated that on 08/27/2013 she was notified that Patient 4 had received a billing statement with her name and address from the hospital. Patient 4 informed the PO that she was never treated at that hospital. The billing statement included PHI for Patient 5. Privacy Officer confirmed that the Health Information Management (HIM) Correction Team worked on duplicate medical records. HIM combined the two records with the same name but did not validate the addresses, dates of birth or Social Security numbers, which they should have done.Patient 5's PHI breached included account number, name of insurance company and itemized statement for services received from the hospital.The hospital's policy and procedure titled "HIPAA General Rules for the use and Disclosure of PHI" date 04/18/12 , indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which includes employee, trainees, students, volunteers, and other designated persons."Refer to CA00368326.4. On 01/08/ 2014 at 9:30 a.m., during an interview, the PO stated that on 08/26/2013 Patient 6 informed Patient Registration that he was sitting in the Emergency Room (ER) when he noticed a large Bulletin Board in the hallway. Patient 6 informed Patient Registration that it faced two registration chairs. Patient 6 noticed a document on the bulletin board titled "Direct Admit - Please Preadmit" containing Patient 7's PHI. Patient Registration immediately removed the document. The document should not have been placed in public view but usual practice was not followed and the document was placed in view of the public on the board.Patient 7's PHI breached included name, date of birth, medical record number and the diagnosis related to the hospitalization.The hospital's policy and procedure titled "HIPAA General Rules for the use and Disclosure of PHI" dated 04/18/12 , indicated, "It is the policy of [hospital] to protect the privacy and security of patient information and to comply with applicable laws and regulations. This policy applies to all [hospital] workforce members, which includes employee, trainees, students, volunteers, and other designated persons."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights