Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 5, 2014. Also cited in 108 other reports.
Report ID: V29J11.05, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to protect Patient 1's confidential records, when his discharge summary was given to another patient who was not authorized to receive Patient 1's protected health information, and Patients 2 through 13 had their protected health information on documents which were removed from the facility contrary to usual practice and were left unattended in an unlocked car and which were subsequently stolen from the car. These incidents had the potential for misuse of the Patients' protected health information (PHI).Findings:Patient 1 - CA00381383During a telephone conference call on 2/6/14 at approximately 3:00 PM, a Privacy Analyst (PA) stated that a Discharge Summary for Patient 1 was given to another patient (Patient 1B) being discharged around the same time. This occurred on 12/4/13. When Patient 1B eventually read the Discharge Summary, he noted that it was for Patient 1. Patient 1B notified the facility on 12/11/13 that he had received a Discharge Summary for Patient 1. The PA stated that nursing unit was chaotic at the time of discharge when the nurse gave the Discharge Summary to the wrong patient.The Manager for Accreditation and Licensing (MAL) reported that the Discharge Summary contained Patient 1's name, date of birth, medical record number, address, phone number, medications, follow up appointments, teaching records, and discharge instructions. Patient 1B was not authorized to see this protected health information. Patients 2 through 13 - CA00380608 During a telephone conference call with the hospital's Privacy Analyst (PA) on 2/6/14 at approximately 4:00 PM, the PA stated that a physician (MD 1) was going to the airport for a bereavement leave. The PA stated MD 1 stopped at a cat boarding facility on the way to the airport and her cat jumped out of the car when MD 1 opened the door. While MD 1 was retrieving the cat someone stole all of her bags and her coat from the back seat of her car. Documents containing the protected health information of Patients 2 through 13 were in her coat pocket and these were also stolen. MD 1 reported the theft of these documents to the hospital the following day, 12/11/13.Since the PA could not provide additional information, the Manager of Accreditation and Licensing (MAL), also present during the telephone conference, agreed to contact MD 1 on her return from bereavement leave.During a telephone call on 2/18/14 at 12:00 PM, MAL stated she had spoken with MD 1 who stated she knew of the death in her family one week earlier that her airline flight for the bereavement leave. MD 1 told MAL she had worked until about 10:30 PM to 11:00 PM on 12/9/13. When she completed her shift she inadvertently put the patient "sign-out sheets" in the pocket of her lab coat and then put her lab coat into her work bag and went home. MAL stated that MD 1 said the usual practice was to put these "sign-out sheets" into a Destruct Bin at the hospital rather than to take them home. MAL said that MD 1 told her that she had a 7:00 AM flight on 12/10/13 and when she stopped that morning to take her cat to the boarding kennel, the cat jumped out of the car and went under the car. MD 1 said that when she coaxed the cat from under the car she immediately took it inside the boarding facility. MD 1 did not lock the car when she went into the cat boarding facility. Upon her return to the car, MD 1 noted that all the bags in her back car seat, including her work bag with Patients' 2 through 13 PHI documents, had been stolen. MD 1 reported the theft to the hospital on 12/11/13.MAL summarized that due to MD 1's rushed state of mind when leaving the hospital on 12/9/13, she had inadvertently put the documents into her lab coat pocket instead of putting them into the Destruct Bin at work. MAL said that on 12/10/13 MD 1 was rushed in going to the airport and was upset by the cat's jumping under the car, and these issues distracted MD 1 from locking the car door when she entered the cat boarding facility. There were no documents available for review, but MAL said the "sign-out sheets" contained each patient's name, medical record number, date of birth, date of service, some health information pertaining to the patient being on the heart failure service, and MD 1's clinical exam notes. This was protected health information for each of the twelve patients under MD 1's care on 12/9/13.Review of a copy of one of the letters sent to Patients 2 through 13 indicated the letter was dated 12/16/13, five days after discovery of the loss of their confidential protected health information.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights