UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER

Report ID: YUCS11, California Department of Public Health

Reported Entity: UCSF MEDICAL CENTER

Issue:

Based on interview and record review, the hospital failed to maintain the confidentiality of protected health information when such information, for 7 patients, was either faxed, mailed, or handed to an incorrect patient. This had the potential for misuse of each patient's confidential information.Findings:1. Complaint # CA00391722:Review of a letter dated March 19,2014, indicated, "On 3/17/14, (the facility verified that a (facility's) patient's outside medical records were inadvertently handed to another patient. We were notified of this event on 3/13/2014. The patient whose health information was inadvertently disclosed was notified on 3/18/2014 by a letter sent from the manager.During an interview on 4/23/14 at 9:00 AM, Privacy Officer 1, stated, "the event was known by the facility on 3/13/14. The facility notified California Department of Public Health (CDPH) on 3/17/14. The patient was notified by letter on 3/18/14. The department of the facility was "Acute Pediatric Surgery" and the personnel involved was RN 1. The nurse was required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 4/24/14 was signed by RN 1.During an interview on 4/23/14 at 9:15 AM, Privacy Officer 1, stated, "RN 1 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."2. Complaint # CA00393786Review of a letter dated April 4,2014, indicated, "On 4/3/2014, (the facility verified that a patient's "After Visit Summary" was inadvertently handed to another patient. We were notified of this event on 3/31/2014. The patient whose health information was inadvertently disclosed was notified on 4/4/2012 by a letter sent from the manager."During an interview on 4/23/14 at 9:30 AM, Privacy Officer 1, stated, "the event was known by the facility on 3/31/14. The facility notified CDPH on 4/3/14. The patient was notified by letter on 4/4/14. The department involved was the dermatology clinic and the personnel involved was employee 1. Employee 1 was counseled, and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 4/09/14 was signed by employee 1.During an interview on 4/23/14 at 9:45 AM, Privacy Officer 1, stated, "Employee 1 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."3. Complaint # CA00390637Review of a letter dated 3/7/2014, indicated, "On 3/4/12, (the facility) verified that a patient's consult letter was inadvertently faxed (via APeX automated fax) to the incorrect healthcare provider. We were notified of this event on 3/3/2014. The patient whose health information was inadvertently disclosed was notified on 3/7/2014 by a letter sent from the manager."During an interview on 4/23/14 at 10:00 AM, Privacy Officer 1, stated, "the event was known by the facility on 3/3/14. The facility notified CDPH on 3/7/14. The facility notified the patient on 3/7/14 by letter. The department involved was Neurological Surgery (brain surgery) and the personnel involved was employee 3. Employee 3 was counseled and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 3/5/14 was signed by employee 3.During an interview on 4/23/14 at 10:15 AM, Privacy Officer 1, stated, "Employee 3 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."4. Complaint # 390639Review of a letter dated March 7,2014, indicated, "On 3/7/2014. (the facility) verified that a patient's pathology report was inadvertently mailed to the incorrect healthcare provider. We were notified of this event on 3/4/2014. The patient whose health information was inadvertently disclosed was notified on 3/7/2014 by a letter sent from the manager.During an interview on 4/23/14 at 10:30 AM, Privacy Officer 2, stated, "the event was known by the facility on 3/3/14. The facility notified CDPH on 3/7/14. The facility notified the patient on 3/7/14 by letter. The department involved was Pathology and the personnel involved was Lab Technician 1 who was counseled and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 3/5/14 was signed by Lab Technician 1.During an interview on 4/23/14 at 11:00 AM, Privacy Officer 1, stated, "Lab Technician 1 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."5. Complaint # 391118Review of a letter dated March 13,2014, indicated, "On 3/12/2014, (the facility) verified that a patient's prescription was inadvertently transferred to the incorrect healthcare provider in another patient's discharge packet. We were notified of this event on 3/10/2014. The patient whose health information was inadvertently disclosed was notified on 3/13/2014 by a letter sent from the manager."During an interview on 4/23/14 at 11:30 AM, Privacy Officer 3, stated, "the event was known by the facility on 3/10/14. The facility notified CDPH on 3/13/14. The facility notified the patient on 3/13/14 by letter. The department involved was the Emergency Department and the personnel involved was employee 2 who was counseled and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 3/15/14 was signed by employee 2.During an interview on 4/23/14 at 11:00 AM, Privacy Officer 3, stated, "employee 2 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."6. Complaint # 392157Review of a letter dated March 20,2014, indicated, "On 3/19/2014, (the facility) verified that a patient's "After Visit Summary" was inadvertently handed to another patient. We were notified of this event on 3/17/2014. The patient whose health information was inadvertently disclosed was notified on 3/20/2014 by a letter send from the manager."During an interview on 4/23/14 at 12:00 Noon, Privacy Officer 3, stated, "the event was known by the facility on 3/17/14. The facility notified CDPH on 3/20/14. The facility notified the patient on 3/19/14 by letter. The department involved was the Dermatology Clinic and the personnel involved was employee 4 who was counseled and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 3/19/14 was signed by employee 4.During an interview on 4/23/14 at 12:30 PM, Privacy Officer 3, stated, "employee 4 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."7. Complaint # 391119Review of a letter dated March 13,2014, indicated, "On 3/13/2014, (the facility) verified that a patient's "After Visit Summary was inadvertently handed to another patient. We were notified of this event on 3/7/2014. The patient whose health information was inadvertently disclosed was notified on 3/13/2014 by a letter sent from the manager.During an interview on 4/23/14 at 1:00 PM, Privacy Officer 3, stated, "the event was known by the facility on 3/7/14. The facility notified CDPH on 3/13/14. The facility notified the patient on 3/13/14 by letter. The department involved was the Breast Center and the personnel involved was employee 5 who was counseled and required to repeat training."Review of facility's "Acknowledgement of Responsibility" dated 3/19/14 was signed by employee 5.During an interview on 4/23/14 at 1:30 PM, Privacy Officer 3, stated, "employee 5 was also required to review the "Statement of Privacy Laws and University Policy" as well as being retrained in HIPAA (Health Insurance Portability and Accountability Act)."

Outcome:

Deficiency cited by the California Department of Public Health: Patients' Rights