Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 17, 2013. Also cited in 108 other reports.
Report ID: 06DH11.02, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to safeguard protected health information when an employee's backpack containing protected health information (removed from the facility) was stolen from her car. Findings:In an interview 7/25/13 at 2:10 PM, Staff 2 said he was contacted by Staff 1 regarding a report of a car burglary on 5/16/13. Staff 2 said he reviewed information breached with Staff 1 and contacted the manager (Staff 3) to discuss findings. Staff 3 stated that Staff 1 is expected to produce results during work hours and counseled her on having protected health information outside the facility in her backpack. Staff 3 said that Staff 1 has remote access to facility's computers but printed out the patient information, which included name age, medical record number and follow-up on a page titled "abnormal Pap (screening test for cervical cancer) smears" so that she could have a hard copy of the results and not have to toggle between two computer screens. In an interview on 12/5/13 at 3:00 PM, Staff 1 said that she printed out Pap smear list so that she could prepare charts for the next day. Staff 1 said she doesn't usually print lists but she wanted to be sure that all patients were followed up. Staff 1 said that she has a facility computer and has remote access via VPN (virtual private network which enables a computer to send and receive data across shared or public networks as if it is directly connected to the private network). Staff 1 said she did not want to toggle between the two screens, so she printed out the list of abnormal pap smear patients and put it in her backpack. Staff 1 said she was aware of the policy on removal of protected health information from the facility. Review of facility's Policy and Procedure - confidentiality, Access, Use and disclosure of Protected Health Information and Patient Privacy 5.02.01 (III)(3) indicated "...it is the responsibility of the individual to ensure that the medical record..is not removed from UCSF".
Outcome:
Deficiency cited by the California Department of Public Health: Medical Record Availability