Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 5, 2014. Also cited in 108 other reports.
Report ID: TJGA11.01, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to maintain the confidentiality of protected health information for five patients when:1. Patient 1's laboratory order was handed to the wrong patient,2. Patient 2's post-operative medication prescription was handed to the wrong patient,3. Patient 3's pathology report was emailed to the wrong physician,4. Patient 4's operative summary was included in Patient Z's report and which was then sent to Patient Z's Primary Care Physician, and5. Patient 5's "After Visit Summary" was handed to the wrong patient.Findings: 1. CA00386121During an interview on 3/5/14 at approximately 8:15 AM, the PA 1 (Privacy Analyst) stated that on 1/27/14 the facility was notified that a laboratory order for Patient 1 had been given to another patient by mistake. The recipient contacted the facility to notify them of the mistake. the facility notified Patient 1 of this breach of the information in her laboratory order by a letter dated 1/29/14. The letter indicated that the laboratory order contained the following protected health information: Patient 1's name, date of birth, medical record number, date of service, and some health information.CDPH was notified of this breach by fax on 1/31/14.2. CA00386510During an interview on 3/5/14 at approximately 8:30 AM, the PA 1 stated that Patient 2 was treated in an outpatient surgery clinic. While in the PACU (Post-Anesthesia Care Unit) the resident Medical Doctor (MD) handed Patient 2's post-operative prescription to Patient X. When Patient X took the prescription to a Pharmacy, they noticed the error. Patient X notified the facility of the error from the Pharmacy on 1/28/14 and the Pharmacy destroyed the errant prescription.A facility MD gave the Pharmacy Patient X's correct prescription so there were no delays in her care. Prior to discharge from the PACU the facility realized their error and gave Patient 1 a correct post-operative prescription. Patient 1's prescription which was given to Patient X contained the following protected health information: Patient 1's name, date of birth, date of service, and some health information.The facility notified Patient 1 of this breach of her protected health information by letter dated 2/3/14. 3. CA00387609 During an interview on 3/5/14 at approximately 8:45 AM, the PA 1 stated that a resident MD put Patient 3's pathology report in Patient Y's "My Chart" (an on-line tracking system for test results and appointments) and then the MD emailed the biopsy results to Patient Y. The facility was notified of this mistake on 2/6/14.The pathology report contained the following Patient 3's protected health information: name, date of birth, date of service, medical record number, and health information regarding the biopsy results. Patient Y was no authorized to receive this information. The facility notified Patient 3 of this breach of his/her protected health information by letter dated 2/11/14. The facility also contacted Patient Y to notify him that the biopsy results were not his. The facility notified CDPH of this medical information breach by fax on 2/12/14 at 8:24 AM. 4. CA00386517 During an interview on 3/5/14 at approximately 9:00 AM, the PA 1 stated that a portion of Patient 4's post-operative summary was copied into Patient Z's post-operative summary by a resident Surgeon who then sent the report to Patient Z' Primary Care Physician (PCP). Patient Z's PCP notified the facility that he had received some of Patient 4's information by mistake on 1/29/14. The post-operative summary contained the following protected health information: Patient 3's name, date of service, name and description of the procedure, and the findings of the procedure which Patient Z's PCP was not authorized to receive.The facility notified Patient 4 of the breach of his medical information by a letter dated 2/3/14.The facility notified CDPH of the breach of Patient 4's medical information by fax dated 2/4/14 at 1:08 PM. 5. CA00387615 During an interview on 3/5/14 at approximately 9:15 AM, the Privacy Analyst (PA 2) stated Patient 5's "After Visit Summary" was handed to Patient W by the front office person who had printed summaries for both patients.Patient W realized the error when she went home and she called the facility to report the mistake on 2/5/14.The "After Visit Summary" contained protected health information which included the following: Patient 5's name, date of birth, date of service, medical record number, discharge instructions, medications, and some other health information. Patient W was not authorized to read Patient 5's protected health information.The facility notified Patient 5 of the breach of his medical information by a letter dated 2/12/14 which was one day later than the five business days required for patient notification.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights