Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 16, 2014. Also cited in 108 other reports.
Report ID: QS2V11, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to protect patients confidential medical information when:1. Patient 1's Operative Report was faxed to an incorrect provider,2. Patient 2's After Visit Report was handed to the wrong patient,3. Patient 3's Consultation letter was faxed to the incorrect provider, and 4. Patient 4's progress notes were faxed to the incorrect provider.This mis-handling of protected health information had the potential for embarrassment to the patients' and future identity theft.Findings:1. CA00405248 (2014-169)During an interview on 7/18/14 at approximately 10:15 AM, the Privacy Analyst (PA) stated that during the pre-admission process, the registration clerk entered the wrong referring physician. When the surgery was completed, a copy of Patient 1's Operative Report was automatically faxed to the referring physician on the admission record. This physician faxed the report back to the surgeon on 7/7/14. The PA stated Patient 1's parents were notified of this mistake by letter on 7/11/14.Record review indicated Patient 1's Operative Report, dated 6/29/14, contained the following confidential information: name, medical record number, date of surgery, pre- and post-operative diagnosis, description of the procedure performed.Record review indicated a letter was faxed to California Department of Public Health (CDPH) on 7/11/14 at 3:18 PM notifying them of the breach of Patient 1's information.Record review indicated a letter dated 7/11/14, was sent to the Parent or Guardian of Patient 1, notifying them of the breach of their child's medical information.2. CA00405256 (2014-168)During an interview on 7/18/14 at approximately 10:30 AM, the Privacy Analyst (PA) stated that following a visit to the Cancer Center, the clerk handed patient 2's After Visit Summary to another patient with the same last name. The PA stated the clerk did not follow the procedure for checking the accuracy of the documents being handed to patients. The PA stated the hospital was notified of this mistake on 7/7/14. The PA stated Patient 2 was notified of this breach of his/her medical information by letter on 7/11/14.Record review indicated Patient 2's After Visit Summary, dated 7/8/14, contained the following confidential information: name, medical record number, date of visit, diagnoses, vital signs, allergies, current medications, future appointments, and discharge instructions.Record review indicated a letter faxed to California Department of Public Health (CDPH) on 7/11/14 at 3:16 PM notifying them of the breach of Patient 2's information.Record review indicated a letter to Patient 2 dated 7/11/14 notifying Patient 2 of the breach of his/her medical information.3. CA00405266 (2014-167)During an interview on 7/18/14 at approximately 10:45 AM, the Privacy Analyst (PA) stated that the clerk who registered Patient 3, verified her primary care physician's first and last name but the clerk did not verify his specialty or his address. The PA stated there were several physicians with the same first and last name and the clerk chose the wrong one. The PA went on to say that the physician who wrote the consultation faxed it to the referring physician on the record and the receiving physician faxed it back. The PA stated the hospital became aware of the breach on 7/7/14. The PA said Patient 3 was notified by letter of the breach of his/her medical information on 7/10/14.Record review indicated Patient 3's consultation letter, dated 7/6/14, contained the following confidential information: name, medical record number, date of consultation, diagnoses, discussion summary of physician with Patient 3 and plan of care.Record review indicated a letter faxed to California Department of Public Health (CDPH) on 7/11/14 at 3:42 PM notifying them of the breach of Patient 3's information.Record review indicated a letter to Patient 3, dated 7/10/14, notifying Patient 3 of the breach of his/her medical information.4. CA00405674 (2014-172)During an interview on 7/18/14 at approximately 11:00 AM, the Privacy Analyst (PA) stated that the clerk who registered Patient 4 did not follow the procedure of verifying two types of identification and only verified the physician's last name. The PA stated there were two physicians with the same unusual last name and the clerk chose the wrong one. The PA went on to say that the receiving physician faxed it back. The PA stated the hospital became aware of the breach on 7/9/14. The PA said he had verified that the intended recipient did receive copies of the progress notes so care was not impacted. The PA added Patient 4 was notified by letter of the breach of his/her medical information on 7/14/14.Record review indicated Patient 4's progress notes, dated 4/15/14, contained the following confidential information: name, medical record number, date of service, Oncology history including treatments, complications and laboratory results, progress notes, diagnoses, current medications, review of systems, physical examination, laboratory results, assessment and plan.Record review indicated a letter faxed to California Department of Public Health (CDPH) on 7/14/14 at 3:04 PM notifying them of the breach of Patient 4's information.Record review indicated a letter to Patient 4 dated 7/14/14 notifying Patient 4 of the breach of his/her medical information.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights