UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER

Report ID: LSOM11, California Department of Public Health

Reported Entity: UCSF MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to notify the California Department of Public Health (CDPH) of the breach of personal patient health information within the required five business days after the breach was detected. Findings:Patient 1 was seen in the Child Neurology Department on 6/12/12 and a copy of Patient 1's consult letter was mailed to the parent of another patient. The consult letter included Patient 1's name, date of birth, medical record number, medical history, medical assessment, laboratory test results and plan of care.In an interview on 8/31/12 at 10:00 a.m., the Director of Regulatory Affairs (Staff A) stated the facility became aware of the medical information breach on 6/18/12 when the parent who received Patient 1's consult letter contacted the facility about the error. She stated the Privacy Officer investigated the incident and reported it to the Manager of Accreditation, Licensure & Certification (Staff B) by sending her an e-mail. She stated Staff B had set-up a "rule to flag" breaches received through her e-mail. However, the Privacy Officer who sent the e-mail about the breach was not on the lists of Staff B's "rules" so when the e-mail was received by Staff B it was not flagged. Staff B did not open the e-mail in time to report the breach to the Department within five business days. Review of the report sent to CDPH notifying them of the medical information breach indicated it was faxed on 7/11/12. Staff A acknowledged the information breach was reported late to the Department.The facility was 18 days late in reporting the information breach within five business days after it was detected.

Outcome:

Deficiency cited by the California Department of Public Health: Health & Safety Code 1280