Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 21, 2014. Also cited in 108 other reports.
Report ID: LGNQ11.01, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Surveyor: Coulton, MaryBased on interview and record review, the hospital failed to protect the confidentiality of Patient 4's protected health information (PHI) when a staff member, Temp 2, intentionally accessed Patient 4's electronic medical record (EMR) without business justification or authorization. This had the potential for embarrassment of Patient 4's family if the information was disclosed.Findings:During an interview on 8/21/14 at approximately 9:00 AM, the hospital's Privacy Analyst (PA 1) stated that on 8/12/14, when the hospital became aware of the death of Patient 4, the hospital implemented a policy and procedure to monitor all access to Patient 4's EMR. PA 1 stated that within hours of implementing this auditing process, Temp 2 was found to have accessed Patient 4's EMR without business justification or authorization.PA 1 stated that Temp 2's temporary position at the facility was ended on 8/12/14. PA 1 stated that he and two other hospital representatives, as well as a representative from the agency which provided Temp 2 as a temporary employee, interviewed Temp 2 on 8/14/14. PA 1 reported that during this interview, Temp 2 was very distraught and she apologized to the interviewers for her lapse in judgment when she accessed Patient 4's EMR. PA 1 stated Temp 2 signed a Confidentiality Attestation that she would not disclose any of the information she had seen in Patient 4's EMR.The hospital provided a copy of the audit performed by the Informational Technology staff. In a letter dated 2/20/15, the Manager of Accreditation and Licensing wrote that the Privacy Department set the parameters of the audit which included Temp 2's name and employee ID, Patient 4's name,date of birth, medical record number, and systems: APEX access which occurred 8/11/14 to present. The letter went on to say that PA 1 reviewed the audit results, in concert with the involved Department Managers, and confirmed that Temp 2 had accessed, without business need or authorization, under the "Module" column, Patient 4's inpatient and outpatient hospital encounters, reports and "Snapshots" (summaries) of protected health information as far back as 1/1/1989. Record review indicated a copy of the "Confidentiality Attestation" signed by Temp 2 on 8/14/14, in which she agreed not to disclose any of the information she had seen in Patient 4's EMR, and acknowledging that she was still bound to respect Patient 4's right to privacy based on her Hospital Confidentiality Statement, and state and federal laws.Record review indicated Temp 2 had received training of the hospital's "Confidentiality of Patient, Employee and Universal Business Information" policy which she signed on 4/28/14.Record review indicated a letter, dated 8/18/14, to Patient 4's family notifying them of this breach of medical information The facility failed to ensure the confidentiality of Protected Health Information when a temporary staff member accessed Patient 4's electronic medical record without authorization and without business justification. Temp 2's action to access the patient's medical information for improper purposes violated Health and Safety Code 1280.15 and is therefore subject to the applicable civil penalty assessment.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280