Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 22, 2012. Also cited in 108 other reports.
Report ID: Q23911.01, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to notify the California Department of Public Health (CDPH) of the breach of personal patient health information within the required five business days after the breach was detected. (Patient 27, 28, 29, 30, 31, 32, and 33).Findings:During an interview on 6/22/12 at 10:05 AM, Pharmacist 1 stated that on 5/18/12, she was on the 8 th floor Neurology ward and had a stack of paper with patients' information and her personal notes. She stated she was carrying the information around with her because patients on the list were scheduled for discharge. Pharmacist 1 said she put down the stack of papers in the nursing station, walked away for few seconds and when she came back the list of patients were gone. She stated she asked the staff on the ward, the nurse manager, the medical residents and other pharmacists but she couldn't find the patients' list. Pharmacist 1 reported the incident to her immediate supervisor.During an interview on 6/22/12 at 10:33 AM, the Chief Pharmacy Officer stated the incident probably happened when a nurse was putting a patient's discharge instructions in an envelope and accidentally put the pharmacist's papers inside the envelope with the discharge instructions. The patient who received Pharmacist 1's list returned the documents to the facility. During the 6/22/12 facility visit, a copy of Pharmacist 1's list of patients was reviewed and indicated that seven (7) patients (Patient 27, 28, 29, 30, 31, 32 and 33) were not included on the list reported to CDPH on 5/25/12. During an interview on 6/22/12 at 10:45 AM, the Manager of Accreditation, Licensure and Certification stated the information breach happened on 5/18/12 and 26 patients were reported to CDPH on 5/25/12. The manager was told the fax letter of 5/25/12 did not include seven (7) patients (Patient 27, 28, 29, 30, 31, 32 and 33) whose medical information had been disclosed. Pharmacist 1's list included patient names, medical record number and diagnoses. The manager stated she would send additional information to CDPH.Review of a letter (dated 6/29/12) sent by the Manager of Accreditation, Licensure and Certification, indicated, "During your visit, you identified from the documents that were inadvertently given to wrong patient the names of six patients for whom you did not have a notification letter and believed should have been notified. The six patients you identified were excluded by the UCSF Privacy Office at the time of their investigation of the breach because the information contained in the documents associated with these patients were not deemed to be medical information or reportable to CDPH ... After your visit on 6/22/12, upon further review by the Privacy Office, 5 of 6 patients continue to be excluded; however, medical information was contained in the breached documents for one of the six patients (Patient 32) you identified. The patient (Patient 32) was notified via a letter sent on 6/25/12..."Review of the facility's Information Security and Confidentiality policy and procedure with approval date of 3/2004 indicated, "Protected Health Information (PHI): ... identifies or could reasonably identify the individual; and is transmitted or maintained in electronic or any other form or medium."A fax letter reporting a breach of 26 patients medical information was received by the California Department of Public Health on 5/25/12. However, the fax letter did not include the names of seven (7) other patients whose information had also been disclosed (Patient 27, 28, 29, 30, 31, 32 and 33). The facility was 28 days late in reporting the information breach within five business days after it was detected.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280