Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on December 31, 2013. Also cited in 108 other reports.
Report ID: WFY011.02, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to notify five patients that their medical information had been disclosed to another individual within the five business days required by law.Findings:Patient 1 - CA00376326 - UCSF 2013-245 During an interview on 1/15/14 at approximately 9:30 AM, a Privacy Analyst (PA) stated that a progress note written by Physician A was mistakenly forwarded by Physician A to Physician B. Physician B was no longer involved in the care of Patient 1 and therefore was not authorized to receive Patient 1's medical information. The PA stated Physician B realized he had received this information by mistake so Physician B contacted the hospital on 10/30/13 to inform them of the mistake.The hospital's Manager of Accreditation and Licensing (MAL) provided copies of the mistakenly sent progress note and the letter of notification from the hospital to Patient 1. The misdirected progress note contained Patient 1's name, date of birth, Medical Record number, date of service, and medical information regarding a surgical procedure, physical examination, assessment and plan of care.Record review of the fax sent by the hospital to CDPH confirmed that Physician B notified the hospital of the breach of medical information on 10/30/13. Record review of the notification letter sent to the patient indicated the letter was dated 11/6/13, five business days after discovery.Patient 2 - CA00376330 - UCSF 2013-246During an interview on 1/15/14 at approximately 9:30 AM, a Privacy Analyst (PA) stated that a consultation summary note written by Physician C was mistakenly forwarded by Physician C to Physician D because the registration clerk had entered Physician D's name to Patient 2's chart as his Primary Care Physician. Physician D had a similar last name as Patient 2's Primary Care Physician but Physician D was never involved in the care of Patient 2 and therefore was not authorized to receive Patient 2's medical information. The PA stated Physician D realized he had received this information by mistake so Physician D contacted the hospital on 10/29/13 to inform them of the error.The hospital's Manager of Accreditation and Licensing (MAL) provided copies of the mistakenly sent consultation summary and the letter of notification from the hospital to Patient 2. The misdirected progress note contained Patient 2's name, date of birth, Medical Record number, date of service, and medical information regarding a detailed history, medications, problem list, assessment and plan of care. Record review of a fax sent from the hospital to CDPH confirmed that the hospital was notified of this event by Physician D on 10/29/13. Record review of the copy of the letter sent from the hospital to notify Patient 2 of the medical information breach indicated the letter was dated 11/7/13, seven business days after discovery. The hospital was two days late in notifying Patient 2 of the medical information breach. Patient 3 - CA00376377 - UCSF 2013-248 During an interview on 1/15/14 at approximately 10:00 AM, a Privacy Analyst (PA) stated that a consultation summary written by Physician E was mistakenly forwarded by Physician E to Physician F because the registration clerk had entered Physician F's name to Patient 3's chart as her Primary Care Physician. Physician F had a similar last name as Patient 3's Primary Care Physician but Physician F was never involved in the care of Patient 3 and therefore was not authorized to receive Patient 3's medical information. The PA stated Physician F realized she had received this information by mistake so Physician F contacted the hospital on 10/29/13 to inform them of the error.The hospital's Manager of Accreditation and Licensing (MAL) provided copies of the mistakenly sent consultation summary and the letter of notification from the hospital to Patient 3. The misdirected consultation summary contained Patient 3's name, date of birth, Medical Record number, date of service, and medical information regarding a physical examination, assessment and plan of care for her left knee problems. Record review of the faxed report from the hospital to CDPH confirmed that the hospital was notified of this event by Physician F on 10/31/13.Record review of the notification letter from the hospital to Patient 3 indicated the letter was dated 11/7/13, five business days after discovery. Patient 4 - CA00376382 - UCSF 2013-249 During an interview on 1/15/14 at approximately 10:00 AM, a Privacy Analyst (PA) stated that a discharge prescription for Patient 4 was given to another patient (Patient 4B) being discharged around the same time When Patient 4B got home, his brother read the prescription and noted that it was for Patient 4. The brother called the facility on 10/30/13 to report the mistake. The PA stated that the nurse was distracted while discharging the patient and had attached the prescription to the wrong discharge packet.The MAL reported that the prescription contained Patient 4's name, date of birth, medical record number, address, phone number, and some health information. Patient 4B and his brother were not authorized to see this protected health information. Record review indicated the hospital notified Patient 4 by letter dated 11/8/13. This was seven business days after the information breach was detected.The hospital was two days late in notifying Patient 4 of the breach of her protected health information.Patient 5 - CA00376629 - UCSF 2013-250During an interview on 1/15/14 at approximately 10:30 AM, a Privacy Analyst (PA) stated that a consultation summary written by Physician G was mistakenly forwarded by Physician G to Physician H because the registration clerk had entered Physician H's name to Patient 5's chart as his Primary Care Physician. Physician H was never involved in the care of Patient 5 and therefore was not authorized to receive Patient 5's medical information. The PA stated Physician H realized he had received this information by mistake so Physician G contacted the hospital on 11/1/13 to inform them of the error.The hospital's Manager of Accreditation and Licensing (MAL) provided copies of the mistakenly sent consultation summary and the letter of notification from the hospital to Patient 5. The misdirected consultation summary contained Patient 5's name, date of birth, Medical Record number, date of service, and medical information regarding a history, physical examination, assessment and plan of care for his lung biopsy. Record review of the faxed report from the hospital to CDPH confirmed that the hospital was notified of this event by Physician G on 11/1/13. Record review of the notification letter to Patient 5 indicated it was dated 11/8/13, five days after detection.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280