Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
KAISER FOUNDATION HOSPITAL - RIVERSIDE
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on December 5, 2013. Also cited in 25 other reports.
Report ID: OF4W11, California Department of Public Health
Reported Entity: KAISER FOUNDATION HOSPITAL, RIVERSIDE
Issue:
Based on interview and record review, the facility failed to ensure all patient protected health information (PHI) was kept protected, which resulted in the unauthorized access of the patient's confidential information (Patient 2). Patient 2's confidential information was given to Patient 3 on September 20, 2013, when Patient 3 was discharged from the facility. This resulted in the unauthorized disclosure of Patient 2's protected health information.Findings:On December 5, 2013, at 1 p.m., an interview was conducted with the Director of Accreditation, Regulation and Licensing; Administrative Specialist for Compliance Department; and Clinical Manager Medical/Surgical (CMMS). The CMMS stated:a. On September 20, 2013, Patient 3 was discharged from the facility and received a packet of discharge instructions.b. On September 23, 2013, Patient 3 notified her that some one else's form/information was at the back of her discharge information.c. She was able to verify the form was Patient 2's "trip ticket" to CT (Computed Tomograph - an imaging method that uses x-rays to create pictures of cross-sections of the body).d. On September 27, 2013, Patient 3 returned Patient 2's record to the facility via the US mail system.The Patient 3 received and had an opportunity to view Patient 2's PHI, which included name, medical record number, encounter number, admission date, vital signs, age, date of birth, gender, allergies, weight, height, physician's name and the destination of CT.Patient 2 was informed of the disclosure of her protected health information (PHI) via a letter dated September 26, 2013, and mailed on September 27, 2013, to Patient 2's last known address.The California Department of Public Health (CDPH) was notified via a telephone call of the unauthorized access of Patient 2's PHI, on September 27, 2013; and a letter dated September 30, 2013, and received October 3, 2013.The facility policy and procedure titled "Notification Regarding Breaches of Protected Health Information" revised June 2013, revealed "... A Licensee must report to DPH (California Department of Public Health) any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information, as defined, no later than 5 business days after the facility detects the above occurrence. ... A Licensee must also notify the affected patient (or, as applicable, the patient's representative) at the last known address, no later than 5 business days after the Licensee detects the unlawful or unauthorized access to, or use or disclosure of, the patient's medical information. ..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280