UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER

Report ID: NUUQ11, California Department of Public Health

Reported Entity: UCSF MEDICAL CENTER

Issue:

Based on interview and record review, the Hospital failed to ensure the confidentiality of patients' records when they continued to use unencrypted desktop computers and the staff were able to use personal computing devices which were not encrypted (encryption is "the process of encoding messages or information in such a way that only authorized parties can read it." Wikipedia) and which were stolen. In addition to lost/stolen computing devices, the Hospital reported breaches of protected information through misdirected faxes, misdirected mailings, and mishandled information given to a wrong patient or family member. All of these mistakes resulted in patients' protected health information (PHI) being shared with/sent to a person who was not authorized to review the information.Findings:A. Computing DevicesOn 1/27/14 at 3:38 PM, the hospital sent a faxed notification to CDPH informing the Department that eight unencrypted desktop computers were stolen from an off-campus clinic. The hospital determined that one of the computers contained protected health information for 9,986 patients. In addition to the theft of these unencrypted desktops computers, the hospitals has filed several reports of stolen unencrypted laptops, both hospital owned and personally owned, over the past year. All of these contained protected health information of patients.The Hospital reported that on 9/9/13, a personal unencrypted laptop was stolen which contained PHI for 3541 patients (CA00371774)..On 11/6/13, the Hospital verified that an unencrypted Hospital laptop was stolen from a car and it contained PHI for 59 patients (CA00376808).On 11/22/13, the Hospital reported that a personal unencrypted laptop had been stolen which contained PHI for 1084 patients (CA00378044).Record review of the policy "Recommendations for Securing Mobile Devices, dated 8/24/12, stated "Only use PIN/password encrypted devices." Record review of the Executive Medical Board minutes of 3/26/13 indicated that the Privacy Officer was keeping the Board of Directors informed about these medical information breaches, and that there was active trending of the types and sizes of the breaches which had occurred.Record review of the Executive Medical Board minutes of 9/24/13 indicated that the Privacy Officer had noted that in FY (fiscal year) 2013 the number of information breach reports to CDPH had increase 117% over FY 2012. The Privacy Officer noted that one of the risks associated with this increase included the continued use of unencrypted personal devices.Record review of the Executive Medical Board minutes of 12/17/13 and the Governance Advisory Committee minutes of 12/17/13 indicated the new Policy and Procedure "Safeguarding the Privacy and Confidentiality of (Hospital Name) Information and Data", Policy #5.02.26, was approved. This policy and procedure required that all hospital and personal computing devices used to access Hospital information systems must be encrypted.During an interview on 4/14/14 at 1:30 PM, the Chief Information Officer (CIO), the Privacy Officer (PO), and the Information Security Officer (ISO) reported that all of the Hospital's laptop computers had been encrypted. The CIO stated that the Hospitals had considered desktop computers a low risk for medical information breaches but that after the incident at the clinic (CA00385469), the Information Security staff had been instructed to encrypt all desktop computers owned by the Hospital. The CIO reported that this process was 30% completed with a target date for full implementation of 6/30/14.The CIO, PO and ISO reported that the Hospital would provide encryption of all personal computing devices but that many people preferred to have this process done elsewhere, or to do it themselves; the Information Technology (IT) Department had provided a list of alternative methods/places to have personal computing devices encrypted. These leaders stated that letters had gone to all employees, physicians, and independent licensed practitioners informing them of the requirement for mandatory encryption of their personal computing devices before accessing any Hospital information systems.The CIO, PO and ITO described the current safeguards within the Hospital's information system and stated that direct patient electronic chart records are not downloadable to any computing devices. Prior and current breaches of protected health information occurred when individuals created and attached spreadsheets to the emails or discussed information relating to patient care in their emails. If the emails were opened on unencrypted devices, the information was vulnerable to a breach if lost or stolen. The CIO described new technology "Network Access Control" which the Hospital was piloting. This technology prevents transmission of emails to unencrypted devices. The CIO did not have any updated information on the pilot program.B. Mis-faxed InformationDuring the past year, the hospital has made numerous reports to CDPH of medical information breaches when faxed copies of consultation reports, discharge summaries, test results, and progress notes were faxed to incorrect recipients.Record review of the Executive Medical Board (EMB) minutes dated 9/24/13 indicated that in FY 2013 the Hospital had to notify 307 patients that their protected health information had been breached. The PO reported to EMB that 55% of these were the result of misdirected faxes. During an interview on 4/15/14 at 10:42 AM, the Director of Clinical Applications (DCA) stated that she was in charge of the automatic APEX fax delivery system. Analysis of the misdirected faxes which had been reported to CDPH indicated that the cause was usually an incorrect selection of a Primary Care Provider (PCP) by a physician or staff member. This had been addressed last Fall, 2013, when physicians' ability to automatically select other physicians in the system was deleted. The DCA said the current most common cause of misdirected faxes now was human error in the selection of a PCP who was to receive consultation letters, discharge summaries, progress notes, etc. made by the Hospital staff. The DCA said that on 4/3/14 a retraining of all personnel who selected and entered PCPs into the system had begun. The new system required the Administrative Assistant to verify the name of the PCP with the patient and compare the name with other identifiers (address, phone numbers, specialty) which the patient provided. If they were not able to ensure two identifiers for each PCP then the AA was to enter that the PCP was not known. Since this was a new approach and the training had not been completed, the DCA said they had no data to confirm its effectiveness.Interviews with Administrative staff in four clinics indicated three of the four had received this training.C. Hand delivered or Mis-mailed informationIn addition to stolen computing devices and misdirected faxes, the hospital has also had breaches of protected health information when test results, After Visit Summaries, Discharge Instructions, Laboratory requests, prescriptions, etc. were handed to the incorrect patient/family recipient. During an interview on 4/15/14 at 11:30 AM, the Privacy Officer (PO) and a Privacy Analyst (PA) stated that they had been trending the information breaches for several years. During the implementation of the new policy #5.02.26, training in each department also included instructions to verify the name on each page of printed information before handing it to the patient, and to verify two identifiers (name and DOB) from the patient before giving them the printed paperwork. Staff were only to handle one patient's paperwork at a time so that swapping information between patients could be eliminated.Mailed information was to have each page verified before putting into an envelope which was also verified as the correct patient and address. Since these approaches to mailed and hand delivered information were not fully implemented, the PO had no information as to the effectiveness and these new procedures.

Outcome:

Deficiency cited by the California Department of Public Health: PATIENT RIGHTS: CONFIDENTIALITY OF RECORDS