Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 20, 2014. Also cited in 108 other reports.
Report ID: G2CM11.01, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review the facility failed to notify the State Agency (SA is the California Department of Public Health -CDPH) of the breach of medical health information in a timely manner for three Patients (Patients 1, 2, and 3). Findings:1. For CA00384340In an interview with the Privacy Compliance Analyst (PCA) 1 on 2/20/14 at 1:40 p.m., PCA 1 stated the consult letter for Patient 1 was inadvertently faxed to the incorrect health care provider on 1/7/14 not on 1/6/14 as was previously reported. PCA 1 showed evidence of a copy of the faxed document which had a date on the bottom of the page as 1/7/14. PCA 1 explained the intended recipient and the actual recipient had almost "similar" last names. PCA 1 stated the facility discovered the breach of information on 1/7/14.Review of the consult letter of Patient 1, dated 1/6/14, revealed the following information: name of Patient 1, medical record number, date of birth, date of the visit, subjective complaint, review of system, medical, surgical, family, and social histories, allergies, medications, physical examination, assessment and plan, electronic signature of the health care provider. In an interview with the Manager Accreditation and Licensing (MAL), on 2/20/14 at 1:42 p.m., MLA stated that the facility notified the CDPH on 1/17/14. The CDPH verified that the facility notified Patient 1 of the breach on 1/17/14. 2. For CA00384393In an interview with the Privacy Compliance Analyst (PCA) 1 on 2/20/14 at 1:35 p.m., PCA 1 stated that the consult letter dated 1/7/14 for Patient 2 was faxed to the incorrect health care provider. PCA 1 explained that the facility staff selected the "wrong provider" and the recipient health care provider faxed the document back to the facility stating "it was not his patient". PCA 1 stated the facility discovered the breach on 1/7/14. During a review of the misdirected consult letter dated 1/7/14, it revealed the following information: name of Patient 2, medical record number, date of birth, date of visit, health status information from last medical visit and electronic signature of the treating health care provider.In an interview with the Manager Accreditation and Licensing (MAL), on 2/20/14 at 1:38 p.m., MAL stated that the CDPH was notified on 1/17/14. The CDPH verified that the facility notified Patient 2 of the breach on 1/17/14.3. For CA00383816In an interview with the Privacy Compliance Analyst (PCA) 2, on 2/20/14 at 1:49 p.m., PCA 2 stated the consult letter was inadvertently faxed to the incorrect health care provider. PCA 2 explained that the facility staff entered the wrong patient so it went to the wrong recipient. PCA 2 stated the facility discovered the breach on 1/2/14.Review of the breach consult letter dated 7/12/13 revealed the following information: Name of Patient 3, medical record number, date of birth, date of visit, chief complaint, history of present illness, personal cancer history, review of systems, physical examination assessment and plan and electronic signature of the health care provider.In an interview with the Manager Accreditation and Licensing (MAL), on 2/20/14 at 1:52 p.m., MAL stated that the facility notified the CDPH on 1/13/14.The CDPH verified that the facility notified the parent of Patient 3 of the breach on 1/13/14.Review of facility Policy and Procedure, POLICY 1.01.18, General and Administrative Regulatory Agencies - Reporting Events, Issued: July, 1999, Last Approval: March, 2011. I. PURPOSE: This policy establishes procedures for complying with federal, state and local requirements to report certain events and occurrences. III. DEFINITIONS: Reportable Event;, ... Unauthorized disclosures of individually identified medical ... information pursuant to California Health & Safety Code 1280.15 ad as defined by California Civil code 56.05. Reportable events are reported to the California Department of Public Health (CDPH) ... IV. POLICY: UCSF medical Center has an established process for timely notifying appropriate regulatory agencies about events and occurrences as required by law or regulation....
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280