Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SAN FRANCISCO GENERAL HOSPITAL
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 29, 2013. Also cited in 27 other reports.
Report ID: GBVG11.01, California Department of Public Health
Reported Entity: SAN FRANCISCO GENERAL HOSPITAL
Issue:
Based on interview and record review, the facility failed to ensure the confidentiality of Patient 1's Lifetime Care Record (LCR - medical record, electronic chart) when four staff members accessed Patient 1's LCR without need and without authorization.Findings:Patient 1 was admitted to the hospital on 9/19/13. Patient 1, who had periods of confusion, wandered off the nursing unit and was not located within the hospital or at home. This triggered a Missing Persons search by the local Police Department which was broadcast in newspaper and television reports. Patient 1's dead body was found in a stairwell of the hospital on 10/8/13 and this started more media coverage. This entire situation made Patient 1 a high-profile case. During an interview on 10/28/13 at 8:00 AM, the hospital's Privacy Officer (PO) stated that the hospital automatically does weekly computer audits on high-profile cases to identify potentially unauthorized access to the high profile individual's Lifetime Care Record (LCR). The PO went on to say that the audits identified four individuals who had accessed Patient 1's LCR without an obvious need to review Patient 1's clinical information.The PO went on to say that on 10/21/13 the audit report identified that on 10/18/13 a Registered Nurse (RN 6), who worked in the ICU (Intensive Care Unit), had accessed clinical notes and reports in Patient 1's LCR. The PO stated she spoke with RN 6 by telephone on 10/21/13, and RN 6 admitted that she had accessed Patient 1's LCR without need and without authorization because she (RN 6) "was curious."The PO continued her report and stated the audit indicated that on 10/10/13, a contracted Billing Manager, working for the Department of Anesthesia, had accessed Patient 1's LCR two times to review Patient 1's report notes and discharge summary. During her interview with the PO, the Billing Manager admitted that she had improperly accessed Patient 1's record because she "was curious."The PO went on to say that a contracted Billing Clerk, working for the Department of Anesthesia, accessed Patient 1's LCR reports and clinical notes on 10/10/13. The Billing Clerk told the PO that she was checking the LCR to see if there was a need to bill for Anesthesia Services. Patient 1 had never had any Anesthesia Services. The PO and the Billing Manager stated there was no need and no authorization for this Billing Clerk to access Patient 1's LCR.The PO continued that a contracted Billing Analyst, working for the Department of Neurosurgery, viewed Patient 1's clinical notes and discharge summary on 10/10/13. The Billing Analyst acknowledged that there was no need and no authorization for this access and stated that she (Billing Analyst) "was curious."Record review of the reports "Display Audit Log", dated 10/21/13, showed the dates and the areas of Patient 1's LCR which each of these four individuals had accessed.Record review of the hospital's Policy and Procedure titled "Health Information Services: Confidentiality, Security, and Release of Protected Health Information" dated 6/11, stated "It is the policy of (Hospital Name) to protect every patient's right to privacy. As a general guideline, all observations and/or communications regarding a patient's medical history, mental or physical conditions, and treatments are considered confidential. Protected health information may be released only for approved purposes, with proper authorization from the patient when required, and as permissible or required by federal or state law."Record review of documentation titled "Transcripts" indicated all four individuals had completed Compliance (HIPPA) and Patient Privacy and Information Security training modules - RN 6 on 5/22/13, Billing Manager on 5/15/13, Billing Clerk on 6/3/13, and Billing Analyst on 6/6/13. During a telephone interview on 12/18/13 at 11:15 AM, the hospital's Director of Regulatory Affairs stated that RN 6 had been terminated from the hospital for failing to protect the confidentiality of patient information. The Director of Regulatory Affairs said the Billing Manager and the Billing Analyst had been terminated from their positions with the Contracted Services Provider for their failure to protect the confidentiality of Patient information. The Billing Clerk continued to insist that she went into Patient 1's medical record at the direction of her supervisor. Since this could not be proven nor disproven, the Billing Clerk was not terminated from her position with the Contracted Services Provider. The Billing Clerk received a Formal Written Warning as Disciplinary Action; she was required to repeat all of the courses regarding Confidentiality, Patient Privacy and HIPPA. The Billing Clerk was returned to her position at the hospital and the Privacy Officer will monitor frequent random audits of her computer access into patient medical records. The facility failed to ensure the confidentiality of Protected Health Information and personal medical information when four staff members accessed this information in Patient 1's computerized Lifetime Care Record.The employees' actions to access the patient's medical information for improper purpose violated Health and Safety Code 1280.15 and is therefore subject to the applicable civil penalty assessment.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280