Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COMMUNITY HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 10, 2013. Also cited in 64 other reports.
Report ID: 42EF11.01, California Department of Public Health
Reported Entity: RIVERSIDE COMMUNITY HOSPITAL
Issue:
Based on interview and document review, the facility failed for one patient (Patient A), to ensure that (PHI) Protected Health Information was not disclosed to any entity not authorized to receive the information. This failed practice resulted in unauthorized access to Patient A's demographic information and medical records.Findings:On January 10, 2013, an unannounced visit was made to the facility to investigate a self-reported breach of PHI (protected health information). An interview was conducted with the Facility Privacy Officer (FPO), on January 10, 2013, at 10 a.m. The FPO stated the breach occurred on November 25, 2012, when Patient A's protected health information was disclosed verbally over the phone. The nurse was attempting to arrange a consultation for Physician A. The nurse dialed the wrong phone number. Instead of reaching Physician B, the nurse dialed a phone number for a private residence, and left Patient's A protected health information on the answering machine. The nurse left Patient A's name, room number, diagnoses, and reason for the consult on the private resident's voicemail. The facility became aware of the breach when the private resident called the facility to let them know she had received Patient A's information in error. The private resident further indicated that she was tired of getting all these messages that were intended for someone else. The private resident stated she was aware that the information being left on her voicemail are HIPPA breaches. The Privacy Officer further stated the nurses were not supposed to call for the physicians' consultations. The physicians were supposed to make the call for the patient's consultation. The facility's Medical Staff Rules and Regulations indicated, "The physician requesting a consultation is responsible for contacting the consultant..."The facility's policy and procedure titled, Safeguarding Protected Health Information, was reviewed. The policy indicated, "The facility will take reasonable steps to safeguard and protect PHI...this policy addresses oral and paper-based PHI...Workforce members may only discuss PHI with other workforce members who have legitimate "need to know"...must ensure that reasonable safeguards are in place when...verbally communicating PHI..."The facility failed to ensure Patient A's PHI was not disclosed to any entity not authorized to receive the information.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280