SAN FRANCISCO GENERAL HOSPITAL

Report ID: W5G911.01, California Department of Public Health

Reported Entity: SAN FRANCISCO GENERAL HOSPITAL

Issue:

Based on interview and record review, the facility failed to prevent the unauthorized access to Patient 1's confidential medical information by Staff 1.Findings:During an interview on 7/3/13 at 9:30 AM, the facility's Privacy Officer (PO) related the details of her investigation of a breach of medical information. The PO stated the facility normally conducted random audits of computer access by employees who have the same last name as a patient. The PO stated that during a random audit on 5/17/13 it was noted that Staff 1, a unit clerk on a Medical/Surgical (M/S) unit, had accessed the records of Patient 1 who was on the Obstetrical (OB) unit. The PO said the facility did not identify a valid reason for a M/S clerk to be accessing an OB patient record. The facility did a complete search of Staff 1's access into Patient 1's medical record and determined Staff 1 had accessed Patient 1's medical record on 4/9/13, 4/17/13, 4/23/13 twice, and 5/12/13 without any need for the information or authorization to access this chart.The PO stated that on 5/20/13, the M/S Nurse Manager confirmed that Staff 1 had not job related duties which requited access to patients' records on the OB unit.The PO stated that due to contractual obligations the PO could not interview Staff 1 directly until 5/22/13 when Staff 1's Union Representative was available. During this meeting Staff 1 admitted accessing Patient 1's medical record without authorization. The medical record, also called the Lifetime Care Record, included protected health information such as name, address, date of birth, medical record number, dates of service, test and X-ray results, physician and nursing examinations, diagnoses, treatment plans, etc. Staff 1 told the PO and the Union Representative that Patient 1 was Staff 1's niece and she had been missing so Staff 1 wanted to see if she (Patient 1) had been admitted.The PO stated the facility had audited Staff 1's computer access records and there were no other findings of unauthorized access to patients' records.During this 7/3/13 interview, the PO also stated that Staff 1 had received all the required privacy training and that these training sessions had been reinforced in a M/S unit staff meetings.The PO provided a copy of Staff 1's training history. Review of this record indicated her most recent HIPPA (Health Information Protection and Portability Act) Training course had been on 9/14/12. Slide 18 of this presentation stated "Employees are restricted from accessing their own records and records of family members."Review of the facility policy and procedure "Confidentiality, Security, and Release of Protected Health Information" dated 6/11, indicated "Uses of protected health information in any context or for any purpose other than direct patient care must be approved through the applicable processes outlined below..."Based on the interviews conducted by the PO with Staff 1 and her Nurse Manager, it was concluded that Staff 1 worked in a different unit from where Patient 1 was being treated. Staff 1 had no need to access Patient 1's medical record. Therefore, Staff 1's entry into Patient 1's medical record on 4/9/13, 4/17/13, 4/23/13 twice, and 5/14/13 were unauthorized breaches.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

The report containing this deficiency also includes information about 1 other violation. Note that these may be related to the same event: W5G911.02

3 other violations reported on the same date. Note that other citations may be about the same event: LBF211.01, LBF211.02, LBF211.03