This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.

UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER

505 PARNASSUS AVE, BOX 0296 SAN FRANCISCO,CA 94143

Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 23, 2014. Also cited in 108 other reports.


Report ID: YUCS11, California Department of Public Health

Reported Entity: UCSF MEDICAL CENTER

Issue:

Based on interview and record review, the hospital failed to maintain the confidentiality of protected health information when such information, for 7 patients, was either faxed, mailed, or handed to an incorrect patient. This had the potential for misuse of each patient's confidential information.Findings:1. Complaint # CA00391722:Review of a letter dated March 19,2014, indicated, "On 3/17/14, (the facility verified that a (facility's) patient's outside medical records were inadvertently handed to another patient. We were notified of this event on 3/13/2014. The patient whose health information was inadvertently disclosed was notified on 3/18/2014 by a letter sent from the manager.During an interview on 4/23/14 at 9:00 AM, Privacy Officer 1, stated, "the event was known by the facility on 3/13/14. The facility notified California Department of Public Health (CDPH) on 3/17/14. The patient was notified by letter on 3/18/14. The department of the facility was "Acute Pediatric Surgery" and the personnel involved was RN 1. The nurse was required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 4/24/14 was signed by RN 1.During an interview on 4/23/14 at 9:15 AM, Privacy Officer 1, stated, "RN 1 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."2. Complaint # CA00393786Review of a letter dated April 4,2014, indicated, "On 4/3/2014, (the facility verified that a patient's "After Visit Summary" was inadvertently handed to another patient. We were notified of this event on 3/31/2014. The patient whose health information was inadvertently disclosed was notified on 4/4/2012 by a letter sent from the manager."During an interview on 4/23/14 at 9:30 AM, Privacy Officer 1, stated, "the event was known by the facility on 3/31/14. The facility notified CDPH on 4/3/14. The patient was notified by letter on 4/4/14. The department involved was the dermatology clinic and the personnel involved was employee 1. Employee 1 was counseled, and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 4/09/14 was signed by employee 1.During an interview on 4/23/14 at 9:45 AM, Privacy Officer 1, stated, "Employee 1 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."3. Complaint # CA00390637Review of a letter dated 3/7/2014, indicated, "On 3/4/12, (the facility) verified that a patient's consult letter was inadvertently faxed (via APeX automated fax) to the incorrect healthcare provider. We were notified of this event on 3/3/2014. The patient whose health information was inadvertently disclosed was notified on 3/7/2014 by a letter sent from the manager."During an interview on 4/23/14 at 10:00 AM, Privacy Officer 1, stated, "the event was known by the facility on 3/3/14. The facility notified CDPH on 3/7/14. The facility notified the patient on 3/7/14 by letter. The department involved was Neurological Surgery (brain surgery) and the personnel involved was employee 3. Employee 3 was counseled and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 3/5/14 was signed by employee 3.During an interview on 4/23/14 at 10:15 AM, Privacy Officer 1, stated, "Employee 3 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."4. Complaint # 390639Review of a letter dated March 7,2014, indicated, "On 3/7/2014. (the facility) verified that a patient's pathology report was inadvertently mailed to the incorrect healthcare provider. We were notified of this event on 3/4/2014. The patient whose health information was inadvertently disclosed was notified on 3/7/2014 by a letter sent from the manager.During an interview on 4/23/14 at 10:30 AM, Privacy Officer 2, stated, "the event was known by the facility on 3/3/14. The facility notified CDPH on 3/7/14. The facility notified the patient on 3/7/14 by letter. The department involved was Pathology and the personnel involved was Lab Technician 1 who was counseled and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 3/5/14 was signed by Lab Technician 1.During an interview on 4/23/14 at 11:00 AM, Privacy Officer 1, stated, "Lab Technician 1 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."5. Complaint # 391118Review of a letter dated March 13,2014, indicated, "On 3/12/2014, (the facility) verified that a patient's prescription was inadvertently transferred to the incorrect healthcare provider in another patient's discharge packet. We were notified of this event on 3/10/2014. The patient whose health information was inadvertently disclosed was notified on 3/13/2014 by a letter sent from the manager."During an interview on 4/23/14 at 11:30 AM, Privacy Officer 3, stated, "the event was known by the facility on 3/10/14. The facility notified CDPH on 3/13/14. The facility notified the patient on 3/13/14 by letter. The department involved was the Emergency Department and the personnel involved was employee 2 who was counseled and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 3/15/14 was signed by employee 2.During an interview on 4/23/14 at 11:00 AM, Privacy Officer 3, stated, "employee 2 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."6. Complaint # 392157Review of a letter dated March 20,2014, indicated, "On 3/19/2014, (the facility) verified that a patient's "After Visit Summary" was inadvertently handed to another patient. We were notified of this event on 3/17/2014. The patient whose health information was inadvertently disclosed was notified on 3/20/2014 by a letter send from the manager."During an interview on 4/23/14 at 12:00 Noon, Privacy Officer 3, stated, "the event was known by the facility on 3/17/14. The facility notified CDPH on 3/20/14. The facility notified the patient on 3/19/14 by letter. The department involved was the Dermatology Clinic and the personnel involved was employee 4 who was counseled and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 3/19/14 was signed by employee 4.During an interview on 4/23/14 at 12:30 PM, Privacy Officer 3, stated, "employee 4 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."7. Complaint # 391119Review of a letter dated March 13,2014, indicated, "On 3/13/2014, (the facility) verified that a patient's "After Visit Summary was inadvertently handed to another patient. We were notified of this event on 3/7/2014. The patient whose health information was inadvertently disclosed was notified on 3/13/2014 by a letter sent from the manager.During an interview on 4/23/14 at 1:00 PM, Privacy Officer 3, stated, "the event was known by the facility on 3/7/14. The facility notified CDPH on 3/13/14. The facility notified the patient on 3/13/14 by letter. The department involved was the Breast Center and the personnel involved was employee 5 who was counseled and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 3/19/14 was signed by employee 5.During an interview on 4/23/14 at 1:30 PM, Privacy Officer 3, stated, "employee 5 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights

Do you believe your privacy has been violated? Here’s what you can do: