Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 15, 2015. Also cited in 108 other reports.
Report ID: D6DQ11.02, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to report a breach of protected health information to CDPH within the five day grace period when:1. the breach of Patient 1's information was not reported until the next day after the five business day grace period, and2. the breach of Patient 2's confidential information was not reported to CDPH until the second day after the five business day grace period.Findings: 1. CA00424146 (2014-253)During an interview on 1/26/15 at approximately 2:45 PM, the hospital's Privacy Analyst, (PA 4) stated that the intended recipient of the consultation letter had moved his practice but both his new and his old fax numbers were still in the registration/fax system. The consulting physician selected the old fax (incorrect) number and sent the consultation letter. The recipient returned the fax to the hospital on 12/10/14.Record review indicated that the consultation letter contained the following of Patient 1's protected health information: name, medical record number, date of birth, date of service, history, diagnoses, current medications, social history, family history, physical examination, laboratory results, test results, assessment and plan. Record review indicated a faxed notice, dated 12/18/14, from the hospital to CDPH notifying CDPH of the breach of Patient 1's PHI.During an interview with the hospital's Manager, Accreditation and Licensing (Mgr) on 1/26/15 at approximately 2:45 PM, the Mgr. acknowledged that the faxed notice of the breach sent to CDPH was one day late.2. CA00424151 (2014-254)During an interview on 1/26/15 at approximately 3:00 PM, the hospital's Privacy Analysts (PA 1) stated some of Patient 2's protected medical information was breached when a Social Worker left her notebook, which contained this information, unattended in another patient's room. Record review indicated a copy of a notebook page which contained the following PHI for Patient 2: name, date of encounter, diagnoses, family contacts, and possible hospital plan. Record review indicated a faxed notice, dated 12/18/14, notifying CDPH of the breach of Patient 2's confidential information. This report to CDPH was three days late.During an interview with the hospital's Mgr on 1/26/15 at approximately 3:00 PM, the Mgr. acknowledged that the faxed notice of the breach sent to CDPH was two days late.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280