Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 21, 2013. Also cited in 108 other reports.
Report ID: 4GQD11.01, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to report a breach of protected health information to CDPH within the five day grace period when:1. The breach of Patient 1's information was not reported until the eleventh day after the five business day grace period.2. The breach of Patient 2's information was not reported until the fourth day after the five business day grace period.Findings:1. CA 00371137 (2013-215)During an interview on 11/21/13 at 3:00 PM, Privacy Analyst (PA1) stated that on 9/5/13 at 6:50 PM a copy of Patient 1's discharge summary was faxed to the incorrect fax number. The fax was sent back to the facility on 9/6/13 Privacy Analyst 2 (PA2) said that a staff member manually added the primary care physician to the system, but added a physician with a name similar to the correct attending physician. The recipient returned the fax the facility on 9/6/13.Record review indicated a Discharge Summary which contained the following of Patient 1's protected health information: Name, medical record number, date of birth, date of service/discharge, history diagnoses, current medications, physical exam, laboratory results, x-ray results, test results and follow-up needs for primary care physician. Record review indicated a fax cover sheet from the facility to the incorrect recipient dated 9/5/13 at 6:50PM and the return fax from the recipient to the facility dated 9/6/13 at 8:18 AM. The recipient's fax to the facility indicated incorrect physician and fax number printed with a notation, "Wrong number - (name of physician) does not work here".Record review indicated a faxed notice dated 9/25/13 from the facility to CDPH notifying CDPH of the breach of Patient 1's PHI and a copy of a letter, dated 9/25/13, notifying Patient 1 of the breach of his/her confidential information.During an interview with the facility's Manager, Accreditation and Licensing (Mgr) on 11/21/13 at 3:00 PM, the Mgr acknowledged that the faxed notice of the breach sent to CDPH was thirteen days late.2. CA 00371121 (2013-214)During an interview on 11/21/13 at 2:00 PM, Privacy Analyst (PA1) stated that on 9/13/13 an anonymous kidney transplant donor reported clinical staff at the clinic asked, "Are you the individual donating to (name of recipient) ?" Anonymous donor reported the incident to supervisor but subsequently was unable to identify clerical staff member involved.Record review indicated a faxed notice dated 9/25/13 from the facility to CDPH notifying CDPH of the breach of Patient 2's PHI (name and transplant status) and a copy of a letter, dated 9/25/13, notifying Patient 2 of the breach of his/her confidential information.During an interview with the facility's Manager, Accreditation and Licensing (Mgr) on 11/21/13 at 2:00 PM, the Mgr acknowledged that the faxed notice of the breach sent to CDPH was four days late.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280