Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SAN FRANCISCO GENERAL HOSPITAL
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 16, 2012. Also cited in 27 other reports.
Report ID: 0J8011.02, California Department of Public Health
Reported Entity: SAN FRANCISCO GENERAL HOSPITAL
Issue:
Based on interview and record review, the facility failed to maintain privacy and confidentiality of Patient 1's medical record when Health Worker 2(HW-2) inappropriately accessed the patient's Life Care Record (LCR) electronic medical record so she could obtain the address of Patient 1 for the purpose of serving some kind of court papers in a child custody case. This breach of medical information represents an intentional and malicious breach of protected health information by a health care worker.Record review of a 5/7/12 User Confidentiality, Security and Electronic Signature Agreement, signed by HW-2, indicates: "I will only access,discuss or divulge confidential protected health information as required for the performance of your job duties."Record review of a LCR Chart audit, dated 8/28/12 at 9:00 A.M. indicates HW-2 viewed Patient 1's reports and notes (Name and address), medications, lab values and HIV(AIDS) disclosure status.In an interview on 11/16/12 at 11:00 A.M., the Facility Privacy Officer (FPO) made the following statements:"On 9/10/12 I was notified that Patient 1 had a complaint alleging that an employee (HW-2) of the Family Health Center Clinic (FHC) had inappropriately accessed her PHI (protected health information-name, address, lab values, medical diagnosis, medications) so she could fill out court papers.""Patient 1 reported she received an envelope addressed in her name but to the address of her boy friend. The envelope had a return address of the 5M Women's Health Clinic. The address is listed in LCR but Patient 1 stated it is not her address. Patient 1 stated she recognized the hand writing on the envelope as HW-2's and that she knows HW-2 because the boyfriend is the father of HW-2's child.""Patient 1 presented the envelope, still sealed, to a staff member on 5M. The staff member verified it was not sent by the 5M clinic. Patient 1 stated she was afraid to see the contents and asked the staff member to open it. The staff member discovered the contents were copies of court papers from HW-2 not paperwork related to medical care.""Patient 1 stated that HW-2 must have accessed her PHI to know that she is a patient of 5M.""I ran an audit report on the LCR access of Patient 1's PHI and the results indicated that on 8/28/12 HW-2 accessed and viewed the following PHI from Patient 1's record: Reports, Medications, lab values and HIV(AIDS) status.""On the date in question, HW-2 had been temporarily assigned to unit 4B, an inpatient care unit, and her duties would not have required her to access Patient 1's medical record that day""HW-2 remains on paid administrative leave pending a disciplinary hearing by Human Resources."Health Worker 2's (HW-2) action to access Patient 1's Life Care Record (LCR) without justification represents an intentional and malicious breach of protected health information and a violation of the Health and Safety Code 1280.15(a), and is therefore subject to the applicable Administrative Penalty.
Outcome:
Fine imposed and deficiency cited by the California Department of Public Health: Medical Record Availability