This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.

UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER

505 PARNASSUS AVE, BOX 0296 SAN FRANCISCO,CA 94143

Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 31, 2012. Also cited in 108 other reports.


Report ID: LSOM11, California Department of Public Health

Reported Entity: UCSF MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to notify the California Department of Public Health (CDPH) of the breach of personal patient health information within the required five business days after the breach was detected. Findings:Patient 1 was seen in the Child Neurology Department on 6/12/12 and a copy of Patient 1's consult letter was mailed to the parent of another patient. The consult letter included Patient 1's name, date of birth, medical record number, medical history, medical assessment, laboratory test results and plan of care.In an interview on 8/31/12 at 10:00 a.m., the Director of Regulatory Affairs (Staff A) stated the facility became aware of the medical information breach on 6/18/12 when the parent who received Patient 1's consult letter contacted the facility about the error. She stated the Privacy Officer investigated the incident and reported it to the Manager of Accreditation, Licensure & Certification (Staff B) by sending her an e-mail. She stated Staff B had set-up a "rule to flag" breaches received through her e-mail. However, the Privacy Officer who sent the e-mail about the breach was not on the lists of Staff B's "rules" so when the e-mail was received by Staff B it was not flagged. Staff B did not open the e-mail in time to report the breach to the Department within five business days. Review of the report sent to CDPH notifying them of the medical information breach indicated it was faxed on 7/11/12. Staff A acknowledged the information breach was reported late to the Department.The facility was 18 days late in reporting the information breach within five business days after it was detected.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Do you believe your privacy has been violated? Here’s what you can do: