SAN FRANCISCO GENERAL HOSPITAL

Report ID: JJKG11.01, California Department of Public Health

Reported Entity: SAN FRANCISCO GENERAL HOSPITAL

Issue:

Based on interview and record review, the facility failed to prevent the unauthorized access to and disclosure of Patient 1's confidential medical information by Staff 1.Findings:During an interview on 1/17/13 at 4:15 PM, the facility's Privacy Officer (PO) related the details of her investigation into a possible medical information breach. The PO stated she was initially alerted to the potential breach by the Risk Management Department on 11/5/12. The source of this information was a Nurse Midwife in the Obstetrics Clinic (Staff 1). The PO stated that on 11/6/12 she interviewed Staff 1 who related that a patient in the clinic, Patient 1, believed that an employee (Staff 1) in another department had accessed her medical information and had passed this information on the Patient 1's ex-boyfriend. The PO stated that on 11/6/12, she had an audit run of the computer access into Patient 1's Lifetime Care Record (LCR) which indicated access by Staff 1 on 5/16/12 and 9/5/12. Staff 1 did worked in the Family Health Clinic so the PO thought it was unusual for her to access patient records in the Obstetric Clinic. The PO met with Staff 1 on or about 11/9/12 for a preliminary interview. During this meeting Staff 1 denied knowing Patient 1 and denied accessing her medical records.The PO said Patient 1 was not available for interview, through a translator, until 11/9/12 and again on 11/13/12. During these interviews Patient 1 told the PO that her ex-boyfriend knew medical information about her which had to come from her record at the facility. Patient 1 stated that Staff 1 was dating her ex-boyfriend and both of them had come to Patient 1's home prior to this incident. Since Patient 1 had a restraining order against her ex-boyfriend, she had called the police. Patient 1 was able to show the PO the police report which identified Staff 1 as being with the ex-boyfriend when he illegally entered Patient 1's home.The PO stated that she, other facility administrators, Staff 1, and Staff 1's Union Representative had a formal meeting on 11/14/12 during which Staff 1 admitted accessing Patient 1's medical record without authorization, and Staff 1 admitted disclosing Patient 1's medical information to the boyfriend.The facility put Staff 1 on administrative leave and deleted her access to the computer system on 11/14/12. The disciplinary process for Staff 1 is underway.Review of Staff 1's Personnel Files indicated Staff 1 indicated two "User Confidentiality and Security Agreement Form" signed by Staff 1 on 2/1/07 and 4/15/10. This form includes the statement: "I will only access, discuss, or divulge confidential DPH (Department of Public Health) information required for the performance of my job duties."Record review also indicated Staff 1 took and completed the facility's annual training courses on Information Security, Privacy, and HIPAA (Health Insurance Portability and Accountability Act) on 4/19/12.The facility policy and procedure "Confidentiality, Security, and Release of Protected Health Information" dated 6/11, which stated "Uses of protected health information in any context or for any purpose other than direct patient care must be approved through the applicable processes outlined below..."Staff 1 worked in a different clinic from where Patient 1 was being seen. Staff 1 had no need to access Patient 1's medical record. Therefore, Staff 1's entry into Patient 1's medical record on 5/16/12 and 9/5/12 was an unauthorized breach.Disclosure of Patient 1's medical information to an unauthorized recipient was also an unauthorized breach of Patient 1's protected health information and a violation of California State Privacy laws.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

The report containing this deficiency also includes information about 2 other violations. Note that these may be related to the same event: JJKG11.02, JJKG11.03