SAN FRANCISCO GENERAL HOSPITAL

Report ID: 8WR811.01, California Department of Public Health

Reported Entity: SAN FRANCISCO GENERAL HOSPITAL

Issue:

Based on interview and record review, the facility failed to ensure patients' personal information remained confidential when a licensed nurse (LN 1) faxed the 7/10/12 appointment schedule for the Occupational Health Department to an unsecured and unauthorized fax number.Findings: On 11/29/12, in a group interview with the Director of Regulatory Affairs (DRA), the Director of Critical Care Units (DCCU), and the Nurse Manager of Regulatory Affairs (NM), they stated that a Licensed Vocational Nurse (LN 1) was functioning as the unit clerk in the Occupational Health Services Department (OHS). They said LN 1 had a contractual dispute between herself and the facility in progress. In order to assist in her dispute, LN 1 faxed a copy of the 7/10/12 Occupational Health Services schedule to her Union Representative. This schedule contained the names of the thirty-nine employees scheduled as patients to be seen that day. In addition this schedule listed the employees' job classification, medical record number, and the type of examination to be performed during their visit to OHS.After reviewing this document the Union Representative formulated a letter for the contractual dispute. This letter and the 7/10/12 OHS Schedule were faxed back to the Human Resources Department. Human Resources reviewed the OHS schedule and realized that employee protected health information was on the faxed document and they informed the facility's Privacy Officer of the potential breach of medical information. On 10/16/12 the facility's Privacy Officer received this faxed copy of the 7/10/12 OHS Schedule and realized this confidential personal information had been faxed over unsecured and unauthorized fax lines.The Privacy Officer notified the facility's Department of Regulatory Affairs and they sent a faxed notification of the information breach to the California Department of Public Health on 10/22/12 at 5:33 PM. The Privacy Officer spoke with the Union Representative who had received the faxed schedule from LN 1 and who had faxed the schedule back to the Human Resources Department. The Union Representative told the Privacy Officer the document had not been shared with other sources, and the Union Representative agreed to destroy the faxed copy of the schedule.During this group interview, the participants stated LN 1 had received mandatory training in Privacy and Information Systems Security, and LN 1 had signed a confidentiality agreement.In a telephone interview on 7/21/14 at 11:30 AM, the facility's Privacy Officer (PO) confirmed that the OHS schedule had been faxed to the Union Representative by LN 1, and was subsequently faxed back to the Human Resources Department, by the Union Representative, over an unsecured and unauthorized fax line. The PO stated LN 1 was trying to use this document to support a different labor dispute she was having with the facility and she had not redacted any of the extraneous information. The PO went on to say that she had a formal conference regarding this information breach with LN 1 and her Union Representative but the Union Representative did not think Confidential Agreement or HIPAA (Health Insurance Portability and Accountability Act) did not apply to labor disputes.The PO provided a copy of the Grievance Form and the Attached OHS schedule which had been forwarded to her by the Human Resources Department. Record review included a copy of the 7/10/12 OHS schedule. This document contained patient names, job classifications, medical record numbers, and reason for the visit on many of the patients on the schedule.Record review included the letters of notification sent to each of the 39 patients. These letters were sent by the Privacy Officer and were dated 11/19/12.Record review included LN 1 acknowledgement that she had received a copy of the facility's "Code of Conduct", a document explaining the "Use of SFDPH (San Francisco Department of Public Health) Records and Information Systems", and an "Oath of Confidentiality" all signed by LN 1 on 3/6/09 during LN 1"s initial orientation to the facility.. The Oath of Confidentiality stated "I, the undersigned, hereby agree not to divulge any information or records concerning any client/patient without proper authorization..."Record review included a copy of LN 1's Continuing Education Record which indicated LN 1 had completed training on "HIPAA - Privacy, I. S. Security" (Health Insurance Portability and Accountability Act - Privacy, Information Security) on 4/19/12, 6/22/11, and 3/6/10. The facility provided a copy of this training which included information stating that Protected Health Information (PHI) included name and medical record number. The training described how privacy breaches could occur with examples such as misdirected faxes and sending reports to the wrong person.In a telephone interview on 7/21/14 at 11:30 AM, the facility's Privacy Officer (PO) confirmed that the OHS schedule which had been faxed to the Union Representative and was subsequently faxed back to the Human Resources Department over unsecured and unauthorized fax lines. The PO stated LN 1 was trying to use this document to support a different labor dispute she was having with the facility and she had not redacted any of the extraneous information. The PO went on to say that she had a formal conference regarding this information breach with LN 1 and her Union Representative but the Union Representative did not think Confidential Agreement or HIPPA (Health Information Portability and Protection Act) did not apply to labor disputes.The PO provided a copy of the Grievance Form and the Attached OHS schedule which had been forwarded to her by the Human Resources Department. The facility failed to ensure the confidentiality of Protected Health Information and personal medical information when a schedule containing this information was faxed over an unsecured fax line to an unauthorized recipient.The employee's action to access the patients' medical information for improper purpose violated Health and Safety Code 1280.15 and is therefore subject to the applicable civil penalty assessment.

Outcome:

Fine imposed and deficiency cited by the California Department of Public Health: Health & Safety Code 1280

Related Reports:

The report containing this deficiency also includes information about 1 other violation. Note that these may be related to the same event: 8WR811.02