Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 1, 2014. Also cited in 108 other reports.
Report ID: NHLQ11.01, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review the facility failed to protect confidential information of patients when consult letter of patients were sent to wrong healthcare providers.Findings:1. For Complaint CA387889:During an interview on 4/1/14 at 9:17 AM, the Privacy Officer stated the patient's consult letter was sent to wrong provider when it was inadvertently faxed to wrong provider. Privacy Officer stated the mistake was when the appointment for the patient was made and the staff at the clinic chose the wrong recipient of the consult letter. The consult letter was automatically faxed to the provider chosen at the time of patient registration after the physician finished the consult letter.Review of the consult letter dated 2/4/14 indicated patient's name, medical record number, date of birth and medical information of the patient.Patient was notified of this breach of her medical information by letter dated 2/13/14.CDPH was notified of this breach of medical information by fax on 2/13/14. 2. For Complaint CA387903: During an interview on 4/1/14 at 9:40 AM, the Privacy Officer stated the consult letter was inadvertently faxed to wrong provider. Privacy Officer stated the mistake was made when the staff chose the provider with the same first name and last name but the intended recipient was a physician and not a Nurse Practitioner. Review of the consult letter dated 1/31/14 indicated patient's name, medical record number, date of birth and medical information of the patient. Patient was notified of this breach of her medical information by letter dated 2/12/14.CDPH was notified of this breach of medical information by fax on 2/13/14.3. For Complaint CA388078:During an interview on 4/1/14 at 10:25 AM, the Privacy Officer stated the consult letter was inadvertently faxed to wrong provider. Privacy Officer stated the mistake was made when the staff chose the wrong provider in the computer. Privacy Officer stated the last name of the intended recipient and the wrong recipient sounded alike but had one letter difference on the spelling of their last names.Review of the consult letter dated 2/5/14 indicated patient's name, medical record number, date of birth and medical information of the patient.Patient was notified of this breach of her medical information by letter dated 2/13/14.CDPH was notified of this breach of medical information by fax on 2/14/14. 4. For Complaint CA388143:During an interview on 4/1/14 at 10:45 AM, the Privacy Officer stated the consult letter was inadvertently faxed to wrong provider. Privacy Officer stated the mistake was made when the staff chose the wrong provider in the computer who had the same last name but different first names. Privacy Officer stated the staff should use multiple identifiers when choosing recipients in the computer but this was not done so there was breach of medical information.Review of the consult letter dated 2/10/14 indicated patient's name, medical record number, date of birth and medical information of the patient. Patient was notified of this breach of her medical information by letter dated 2/13/14.CDPH was notified of this breach of medical information by fax on 2/13/14.5. For Complaint CA388274:During an interview on 4/1/14 at 11:00 AM, the Privacy Officer stated the consult letter was inadvertently faxed to wrong provider. Privacy Officer stated the wrong provider was a previous physician of the patient and was not deactivated on the computer system when the patient changed health insurance, so the fax was automatically sent to the provider on record so the provider received the consult letter in error.Review of the consult letter dated 2/10/14 indicated patient's name, medical record number, date of birth and medical information of the patient. Patient was notified of this breach of her medical information by letter dated 2/13/14.CDPH was notified of this breach of medical information by fax on 2/19/14.6. For Complaint CA388290:During an interview on 4/1/14 at 11:15 AM, the Privacy Officer stated the consult letter was inadvertently faxed to wrong provider. Privacy Officer stated the wrong provider was deactivated from the computer system but was manually chosen by the physician to be the intended recipient without being aware that the wrong recipient was no longer the primary care physician of the patient.Review of the consult letter dated 2/11/14 indicated patient's name, medical record number, date of birth and medical information of the patient.Patient was notified of this breach of her medical information by letter dated 2/18/14.CDPH was notified of this breach of medical information by fax on 2/19/14. 7. For Complaint CA388752:During an interview on 4/1/14 at 11:30 AM, the Privacy Officer stated the consult letter was inadvertently faxed to wrong provider. Privacy Officer stated the mistake was made when the staff chose the wrong provider in the computer. Privacy Officer stated the last names of the intended recipient and the wrong recipient was the same but had different first names.Review of the consult letter dated 2/5/14 indicated patient's name, medical record number, date of birth and medical information of the patient. Patient was notified of this breach of her medical information by letter dated 2/20/14.CDPH was notified of this breach of medical information by fax on 2/20/14.8. For Complaint CA388855:During an interview on 4/1/14 at 11:45 AM, the Privacy Officer stated the consult letter was inadvertently faxed to wrong provider. Privacy Officer stated the mistake was made when the staff chose the wrong provider in the computer. Privacy Officer stated the last name of the intended recipient and the wrong recipient were the same but had different first names.Review of the consult letter dated 2/19/14 indicated patient's name, medical record number, date of birth and medical information of the patient. Patient was notified of this breach of her medical information by letter dated 2/20/14.CDPH was notified of this breach of medical information by fax on 2/21/14.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights