Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 15, 2015. Also cited in 108 other reports.
Report ID: D6DQ11.03, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review the facility failed to notify the California Department of Public Health (CDPH) within five business days from discovery of a medical information breach and the facility failed to maintain patients' protected health information (PHI) in a confidential manner when:1. Patient 1's consultation letter was faxed to the wrong healthcare provider, and 2. a notebook containing Patient 2's PHI was left unattended in another patient's room.These breaches had the potential to cause embarrassment to the affected patients when their confidential information was read by others.Findings:1. CA00424146 (2014-253)During an interview on 1/26/15 at approximately 2:45 PM, the hospital's Privacy Analyst, (PA 4) stated that the intended recipient of the consultation letter had moved his practice but both his new and his old fax numbers were still in the registration/fax system. The consulting physician selected the old fax (incorrect) number and sent the consultation letter. The recipient returned the fax to the hospital on 12/10/14.Record review indicated that the consultation letter contained the following of Patient 1's protected health information: name, medical record number, date of birth, date of service, history, diagnoses, current medications, social history, family history, physical examination, laboratory results, test results, assessment and plan. Record review indicated a fax cover sheet, dated 12/10/14, from the recipient to the hospital. Record review indicated a faxed notice, dated 12/18/14, from the hospital to CDPH notifying CDPH of the breach of Patient 1's PHI and a copy of a letter, dated, 12/15/14 notifying Patient 1 of the breach of his/her confidential information.2. CA00424151 (2014-254)During an interview on 1/26/15 at approximately 3:00 PM, the hospital's Privacy Analysts (PA 1) stated some of Patient 2's protected medical information was breached when a Social Worker left her notebook, which contained this information, unattended in another patient's room. Record review indicated a copy of a notebook page which contained the following PHI for Patient 2: name, date of encounter, diagnoses, family contacts, and possible hospital plan. Record review indicated a faxed notice, dated 12/18/14, notifying CDPH of the breach of Patient 2's confidential information, and a copy of a letter, dated 12/15/14, informing Patient 2 of the breach of his/her confidential information.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights