Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 5, 2014. Also cited in 108 other reports.
Report ID: 9WSI11.01, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review the facility failed to maintain the confidentiality of Protected Health Information (PHI) for two sampled patients (Patient 1 and Patient 2) when:1. Patient 1's clinical records were inadvertently faxed to a private individual.2. Patient 2's clinical records were inadvertently faxed to an incorrect health care provider.This deficient practice resulted in the breach of the PHI documents of Patients 1 and 2, and possible unauthorized use.Findings:1. During a review of the facility letter sent to the State Agency (SA is the California Department of Public Health -CDPH) dated 4/21/14, it indicated: "On 4/8/2014, XXX (name of the facility) verified that some of a patient's provider notes and progress reports were inadvertently faxed to an incorrect recipient. ..."In an interview with the Privacy Compliance Analyst (PCA) on 5/5/14 at 1:47 p.m., PCA stated that when the facility staff faxed the document, the facility staff entered the "wrong area code", the documents went to an unintended recipient, (a private individual). PCA further stated that the unintended recipient had contacted the facility because the unintended recipient had been receiving fax documents from 4/10/14 to 4/17/14.Review of the faxed breached documents of Patient 1 showed:A. XXX (name of the facility) Form that had: Name of Patient 1, mailing address, sex, last four digits of Social Security Number, Date of Birth (DOB), Medical Record Number (MRN), account number, date and time of service, names of Guarantor and the corresponding phone numbers, names of the primary and referring physicians, name of primary and secondary insurance coverage and the subscriber ID (identification) number. B. Hematology/ BMT H & P Notes dates from 4/10/14 to 4/15/14 showed: admit date, subjective assessment, vitals sign, Intake and output summary, pain score, weight log, physical exam results, scheduled medications, laboratory results, Problem -based assessment plans, nutritional and infectious disease and psychiatric assessment plans, code status and the name of the health care providers.2. During a review of the facility letter sent to the SA, dated 4/14/14 indicated: "On 4/9/2014, XXX (name of the facility) verified that a patient's history and physical was inadvertently faxed (via APeX automated fax) to an incorrect health care provider. ..."In an interview with the Privacy Compliance Analyst (PCA) on 5/5/14 at 1:15 p.m., PCA stated that a misdirected fax of Patient's 2 History and Physical documents was sent to unintended recipient who had similar name to the actual recipient. PCA further explained that the facility staff entered the "wrong" name of the physician on the automated fax machine. Review of the breached documents of Patient 2 showed the following: Name of patient 2, Medical Record Number (MRN), date of service, Date of Birth (DOB), name of the physician, visit type, principal diagnoses, past medical/surgical/family/social history, medications and allergies, result of physical examination, result of radiology studies, assessment and plan and name of the health care provider.Review of the facility Policy and Procedure titled: "Confidentiality, Access, Use, and Disclosure of Protected health information and Patient Safety, Policy, 5.02.01, Issued : 5/91, Last approval: 2/13. PURPOSE: T ensure patient and confidentiality standards are consistent with state and federal laws and regulations for the access, use and disclosure of protected health information. III. DEFINITIONS: Confidentiality: ... Medical records ... are considered confidential. Protected Health information (PHI): is an individual's health information or data collected from an individual that is created or received by a health care provider ...past, present or future physical or mental health condition of an individual ... identifies or could reasonably identify the individual; and is transmitted or maintained in electronic or any other form of medium. IV. POLICY: It is the policy of ... to protect the privacy and confidentiality of personal information, including PHI when it is created , transmitted ... to ensure that handling of such information is consistent with federal and state laws ... "
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280