r~.c~, department qf public health ki .. i h .., … document librar… · 23.12.2009 ·...

CALIFORNIA HEALTH AND HUMAN SERVICES ArENCY r~c~ t1~~tt1 DEPARTMENT QF PUBLIC HEALTH ( middot I KI I h lbbull - 1--

IS TATEMENT OF DEFICIENCIES

AND PLAN OF CORRECTION

(Xl) PROVIDERSUPPLIERCUA

IDENT1FJCAT10N NUMBER

050228

(X2) MULTIPLE CONSTRUCTION

A BUILDING

B MNG

(fa) DATJslii ~V-

COMPLETED

12232009

NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE

SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY

(X4) ID SUMMARY STATEMENT OF DEFICIENCIES

(EACH DEFICIENCY MUST BE PRECEEOED BY FULL

REGULATORY OR LSC IDENTIFYING INFORMATION

ID

The following reflects the findings of the Department of Public Health during a complainVbreach event visit

Complaint Intake NumberCA00211950 - Substantiated

Representing the Department of Public Health Suleyor ID 23107 HFEN

The inspection was limited to the specific faci lity event investigated and does not represent the findings of a full inspection of the facility

Health and Safety Code Section 128015(a) A clinic health facility home health agency or hospdegice licensed pursuant to Section 1204 1250 1725 or 1745 shall prevent unlawful or unauthorized access to and use or disclosure of patients medical information as defined in subdivision (g) of Section 5605 of the Civil Code and consistent with Section 130203 The department after investigation may assess an administrative p~nalty for a violation of t~is section of up to twenty-five thousand dollars ($25000) per patient whose medical information was unlawfully or without authorization accessed middot used or disclosed and up to seventeen thousand five hundred dollars ($17 500) per subsequent occurrence middotof unlawful or unauthorized access use or disclosure of that patients medical information

For CA00211950 violation of Health and Safety Code 128015(a) for failure to prevent unauthorized access to patients medical information

PROVIDERS PUN OF CORRECTION

(EACH CORRECTIVE ACTION SHOULD BE CROSS REFERENCED TO THE APPROPRIATE DEFICIENCY

(XS) PREFIX PREFIX COMPLETE

TAG TAG DATE

middot ~ [ 1 Ii ~ JH middot middot j p Jf( I bulli~middotC hI bull J li bullh - iJbamp

~()bull middot

SEP 1 4 2012 fmiddotmiddot ~

I

-- ~) ~ l~~c DlViSCN i

SAN FPANCISCO

Action(s)The employee involved in this privacy breach

June 2009had been oriented to their responsibilities toprotect the confidentiality of patient protectedhealth information (PHI) and to medicalinformation privacy requirements and wascounseled following the self-report of theincident (see Attachment 1)

Before and after this privacy breach incident in 2009 hospital leadership has engaged in ongoingefforts via memos emails staff trainings and employee annual update trainingto ensure that hospital staff are educated and knowledgeable about hospital and SFOPHprivacy and security policies

I The SFGH multidsciplinary Privacy Committee composed of the SFGH Privacy Officer and staff from the SFGH Privacy Office

Ongoing

II

InitiatedJuly 122011 andthe SFGH Chief Medical Officer the SFGH Chief ongoingCommunications Officer representatives from

the SFGH Legal Affairs Regulatory AffairsHealth Information Systems departments aswell as representatives from both the SFGH and UCSF Risk Management and Information

Event IDY7 1G11 8242012 11 3956AM

LA~TORY DIRECTORS OR PROVIDERSUPPLIER R~SENTATIVES SIGNATURE TITLE

~ Q f2M~ Ms Ceo middot Any deficiency statement ending with an asterisk () denoles a deficiency which the tnsl1tution may be excused from correcting providing it 1s determined

that other safeguards provide sufficient protection Jo the patients Except for nursing homes the findings above are d1sclosabte 90 days following lhe date

of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are disctosabte 14 days following

the date these documents are made available to the facility If deficiencies are cited an approved plan of correction is requisite to continued program

particpation i _i nI ___1~~~---~ middot-shy

~ 1 ol 5

CALIFORNIA HtA L I H ANU H UIVIAN gttKVlt Altt111 T

DEPARTMENT OF PUBLIC HEALTH (

(X3) DATE SURVEY (X1) PR011lERISUPPLIERCLIA I (X2) MULTIPLE CONSTR~ 1VNSTATEMENT OF DEFICIENCIES COMPLETED IDENTIFICATION NUMBERANO PLAN OF CORRECTION bullA BUILDING

I S WING 12232009050228 middot

STREET ADDRESS CITY STATE ZIP CODE

10_01 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY NAME OF PROVIDER OR SUPPLIER

SAN F RANCISCO GENERAL HOSPITAL

suMMARY srATEMAFia~1~Ntks (X4) 10

PREFIX (EACH DEFICIENCY MUST BE PRECEEDED BY FULL

TAG REGULATORY OR LSC IDENTIFYING INFORMATION)

s1LI0 f i1middotia11t1

CoRtinued From page

Substantiated

Informed Medical Breach

Health and Safety Code Section 128015 (b)(2) A clinic health facility agency or hospice shall also report any unlawful or unauthori4ed access to or use or disclosure of a patients medicalmiddotinformation to the affected patient or the patients representative at the last known address no later than five business days middot after the unlawful or unauthorized access use or disclosure has been detected by the clinic health facility agency or hospice

The CDPH verified that the facility informed the affected patient(s) or the patients representative(s) of the unlawful or unauthorized access use or disclosure of the patients medical information

128015(a) Health amp Safety Code 1280

(a) A clinic health facility home health agency or hospice licensed pursuant to Section 1204 1250 1725 middot or 1745 shall prevent unlawful or unauthorized access to and use or disclosure of patien_ts medical information as defined in subdivision (g) ofSection 5605 of the Civil Code and consistent with Section 130203 The department afterinvestigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25000) per patient whose medical information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars

PROVIOERS PLAN OF CORRECTION (X5)

(EAOi CORRECTIVE ACTION SHOULD BE CROSSshy COMP ff I

REFERENCED TOTHE APPROPRIA E DEFICIENCY) I l)A11shyI

I 1 PREFIX t

I bull nr-n bull A w) 1 bull JI 5ft t middot l)LI I bullII

I f T - middot ~ I bullmiddot1 gtlt

bull Systems Departments meets monthly to review discuss amiddotnd recommend policy involving privacy compliance issues middot

In follow-up to a review of facility- related Manageshyprivacy breach cases reported to CDPH ment conducted by the SFGH Privacy Officer with Forum SFGH managers at the monthly Management Afgtril 24 Forum meeting including this 2009 incident 2012 theSFGH Chief of Staff and SFGH Privacy Officer presented the same review to the Chiefs of Service at a Medical Executive Committee (MEC) reminding the c~iefs about the hospital MEC and SFDPH privacy and security policies May 14 prohibiting the removal of patient protected 2012 information (PHI) including copies of the paper medical record froin the hospital as well as the penalties for violating these policies and the penalties for violating provisions of SB541 and middot AB211 (see Attachments 2 )

The SFGH Privacy Officer and the SFGH Initiated Privacy Analyst routinely conduct Privacy June2012 Roundswithin the hospital departments to and educate hqspital staff about privacy security and ongoing awareness to validate staff knowledge regarding privacy security and awareness as well as to identify issues requiring corrective action by managers Findings are reported to the Privacy Committee (see Attachments 34 5)

Monitoring The SFGH Privacy Officer and the SFGH Initiated Privacy Arialyst routinely conduct monthly audits June 2012 of the Ufetime Clinical Record (LCR) of all and employees of the City amp County of San ongoing Francisco Department of Public Health (CCSF

r 11

_i

-

I

8242012 113956AM

1tG t_4 i

Event 1DY71G11

TITLE (X6) DATE LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE

Any deficiency statement ending wilh an asterisk (middot) denoles a deficiency which the institulion may be excused from correcling providing it is determined

lhal other safeguards provide sufficienl protection to the patients Except for nursing homes lhe findings above are disclosable 90 days following the date

of survey whether or not a plan of correclion is prolllded For nursing homes the above findings and plans of correction are disclosable 14 days following

the dale lhese documents are made available to the facility If deficiencies are ciled an approved plan of correction is requisile lo continued program

participalion-----middot -------middot-- shy------ -- --middot-- - _ __ 2or 5

CALIFORNIA HEALTH AND HUMAN SERVICESmiddot ENCY

DEPARTMENTmiddotOF PUBLIC HEALTH STATEMENT OF DEFICIENCIES (X1) PROVIOER SUPPU ERICLIA (X2) MULTIPLE CONSTRUCTION (X3) OATE SURVEY

AND PLAN OF CORRECTION IDENTIFICATION NUMBER COMPLETED

A BUILDING

050228 B WING 12232009

NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZJP CODE


(X4JID SUMMARY STATEMENT OF DAi~ftf(EACH DEFICIENCY MUST ~i i

l ~ (jfU~L

REGULATORY OR LSC IOE~ ING JroRMATION)

middotv 1 ~ 10

Continued From page 1 SEP 14 012 Substantiated

~LampC c 11J~_middotiJfnformed Medical Breach SAN FRANCiSCC

Hlalth and Safety C_ode Section 128015 (b)(2) A clinic health facility agency or hospice shall also report any unlawful or unauthorized access to or use or disclosure of a patients medical information to the affected patient or fhe patients represfntative at the last known address no later than five business days after the unlawful or unauthorized access use or disclosure has middotbeen detected by the clinic health facility agency or hospice



(a) A clinic health facility home health agency or hospice licensed pursuant to Section 1204 1250 1725 or 1745 shall prevent unlawful or unauthorized access to and use or disclosure of patien_ts medical information as defined in subdivision (g) of Section 5605 of the Civil Code and consistent with Section 130203 The department after investigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25000) per patient whose medical information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars

PROVIDERS PLAN OF CORRECTION (X5)

(EACH CORRECTIVE ACTION SHOULD BE CROSSshy COMPlf l F REFERENCED TO rHE APPROPRIATE DEFICIENCY) llA1[

PREFIX _ tJC e d J~]tlTAG

DPH) and of all employees of the University of camomia San Francisco (UCSF) who received care as patients at the hospital (emergency department clinics acute care skilled nursing) to verify if the LCR access was appropriate the total number of audits conducted per month average between 25-30 Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee

The SFGH Privacy Officer and the SFGH Privacy Analyst conduct audits of the Ufetime Clinical Record (LCRJ of any patient as requested by managers to verify if the LCR access was appropriate eg media high profile cases VIPs Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee

Ongoing

The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarding privacy issues to the SFGH Quality Council In aodition they report any incidents of non-compliance with DPH and SFG_Hprivacy policies which occur during the year at the next scheduled SFGH Quality Council

Responsible Person(s) SFGH Privacy Officer CHN Senior Information Systems Manager

Ongoing

Event 1DY71G11 8242012 113956AM

LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE T ITLE (X6) DATE

Any deficiency statement ending with an asterisk (bull) denotes a deficiency which the institution may be excused from correcting providing it is determined

that other safeguards provide sufficient protection to the patients Except for nursing homes the findings above are disclosable 90 days following the date

of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are d1sclosable 14 days following

the date these documents are made available to the facility If defic1ences are cited an approved plan of correction is requisite to continued program

participation

middot----- ---middot----------- ------ ----- -- middot-middot --middotmiddot-middot-middot-middot 2 015

A

---

CALIFORNIA HEAL TH AND HUMAN SERVICE~ GENCY

DEPARTMENT OF PUBLIC HEAL TH

(X 1) PROVIDERSUPPLIERCUASTATEMENT OF DEFICIENCIES (X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY IDENTIFICATION NUMBER AND PLAN OF CORRECTION COMPLETED

A BUILDING

050228 B MNG 12232009


SAN FRANCISCO G ENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY

(X4)1D SUMMARY STATEMENT OF DEFICIENC IES 10

PREFIX (EACH DEFICIENCY MUST BE PRECEEOEO BY FULL PREFIX

TA9 REGULATORY OR LSC IDENTIFYING INFORMATION) TAG

Continued From page 2

($17500) per subsequent occurrence of unlawful or unauthorized access use or disclosure of that patients medical information For purposes of the investigation the department shall consider the clinics health facilitys agencys or hospices history of compliance with this section and other related middotstate and federal statutes and regulations the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring and factors outside its control that restricted the facilitys ability to comply with this section The department shall have full discretion to consider all factors when middot determining the amount of an administrative penalty pursuant to this section

T22 DIV5 CH1 ART7-70751b) Medical Record Availability (b) The medical record including X-ray films is the property of the hospital and is maintained for the benefit of the patient the medical staff and the hospital The hospital shall safeguard the information in the record against loss defacement tampering or use by unauthorized persons

These regulations were not met as evidenced by Based on interview and record review the facility failed to protect the medical records of five patients (Patient 1 2 3 4 amp 5) from loss and use by unauthorized persons when Physician 1 removed copies of part of the records from the facility Physicians 1s briefcase containing the patients medical information was stolen from his car on 12909

PROVIDERS PLAN OF CORRECTION (XS)

(EACH CORRE cnve ACTION SHOULD BE CROSSshy COMP Ello REFERENCED TO THE APPROPRIATE DEFICIENCY) DATE

I

II

T22 DIVS CHl1 ART7-70751 (b) Medical Record Availability 1 b) the medical record including X-ray films is the property of the hospital and is maintained for the benefit of the patient the medical staff and the hospital The hospital shall safeguard the information in the record against loss defacement tampering or use by unauthorized persons

Action(s) The employee involved in this privacy breach had been oriented to their responsibilities to protect the confidentiality of patient protected health information (PHI) and to medical information privacy requirements and was counseled folloMng the self-report of the incident (see Attachment 1)

June 2009

1 Before and after this privacy breach inciden2009 hospital leadership ~as e_nga--g_ed_i_n _

t in Ongoing

SEP 1 4

tampCCMSON SN FP~NCISCO

l _ --___ __ Event ID_Y71G11 8242012 11 3956AM

LABORATORY DIRECTORS OR PROV1DERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE

Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing 11 is deltermined

1hal other safeguards provide sufficienl protection to the patients Except for nursing homes thefindings above are disclosabte 90 days following the date

of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following

the date these documents are made available to the facility If deficiencies are cited an approved plan of coltrection is requi site to continued program

participahon

3 ol ~

(X1) PROVIDERSUPPLIERCLIA (X2) MULTIPLE CONSTRUCTION (X3) DATE SURVFYSTATEMENT OF DEFICIENCIES IDENTIFICATION NUMBER COMPLllFIgtAND PLAN OF CORRECTION

A BUILDING

8 ftING050228 12232009



CALIFO RNIA HEALTH AND HUMAN SERViCES ENCY

DEPARTMENTOF PUBLIC HEALTH ~

(X4) 10 SUMMARY STATEMENT OF DEFICIENCIES ID

PREFIX (EACH DEFICIENCY MUST BE PRECEEDED BY FULL PREFIX

TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG


Findings

During an interview on 122209 at 3 10 pm Staff A (director of regulatory affairs) stated Physician 1

took copies of Patient 1 2 3 4 amp Ss initial infectious disease consultation forms home on iagt9 The forms had the patients name medical recofd number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physici~n 1 was Not supposed to take medical records home

Staff A said the facility became aware of the incident on llllllos The Department was notified on ~ 9 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on - 9

A review of the facilitys Health Information Services Confidentiality Security and Release of Protected Health Information policy indicated the following

Purpose The purpose of this policy is to ensure

The confidentiality of protected health information

Procedure

D They (medical records) must not be taken from (name of facility) premises for any reason

PROVIDERS PLAN OF CORRECTION j (XS)

(EACH CORRECTIVE ACTION SHOULD BE CROSSshy COMPLETE IREFERENCED T O THE APPROPRIATE DEFICIENCY) DIITE

i ongoing efforts via memos emails staff 1

trainings and employee annual update training 1 to ensure that hospital staff are educated and

knowledgeable about hospital and SFDPHprivacy and security policies

InitiatedThe SFGH multidsciplinary PrivacyJuly 12Committee composed ofthe SFGH Privacy2011 andOfficer and staff from the SFGH Privacy Office ongoingthe SFGH Chief Medical Officerthe SFGH Chief

Communications Officer representatives from the SFGH Legal Affairs Regulatory Affairs Health Information Systems departments as well as representatives from both the SFGH and UC$F Risk Management and lnfonTiation middot Systems Departments meets monthlyto review discuss and recommend policy involving privacy compliance issues

ManageshyIn follow-up to a review of facility- relatedmentprivacy breach cases reported to CDPHForumconducted by the SFGH Privacy Officer with April 24SFGH managers at the monthly Management2012Forumrn~_eijog including this 2009 inciden~

i the SFGH Chief of Staff and SFGH PrivacyOfficer presented the same review to the Chiefsof SeNice at a Medical Executive Committee (MEC) reminding the chiefs about thehospital MEC and SFDPH privacy and security policies May 14prohibiting the removal of patient protected 2012 infonnation (PHI) including copies of the paper medical record from the hospital as well as the

middot penalties for violating these policies and the penalties for violating provisions of SB541 and AB211 (see Attachments 2) =- pi - E _ JH

I CA DEPdegl OF PtJ8F1LJ n~middot I I middot1~= middot I fr-n 1 A i-n ir -i imiddot

E vent 1DY71G1 1 8242012 11 3956AM

LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DAT1M ~ middoti- LP~C OMSiON i~~ middot

SAN FAA~JCISCO Any deficiency statement ending with an asterisk(middot) denotes a deficiency which the institution may be excused from correcting providing it is determined

that other safeguards provide sufficient protection to the patients Except for nursing hones the findings above are disclosable 90 days following the date


the date these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requ1S1te to continued program

participation

State-2567 4 of 5

rA Dmicro D~PUBI_H~ H~ALTH~------=-----------------------------~ltLtushy(X2) MULTIPLE CONSTRUCTION ()lt3) DATE SURVEY(X1) PROVIOERSUPPLIERCLIASTATEMENT OF DEFICIENCIES COMPLETFOIDENTIFICATION NUMBERANO PLAN OF CORRECTION

A BUILDING t~middot SEP 1 4 l Omiddot-LC B WlNG t 12232009050228

NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP cooe shy l~G ~tviaigra ~ SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 9411~ltfrac14l~ANemC6CO COUNTY

8242012 113956AMEvent IDY71 G11

TITLE (X6) DATELABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE

(X4) ID

PREFIX

TAG

SUMMARY STATEMENT OF DEFICIENCIES

(EACH DEFICIENCY MUST BE PRECEEOEO BY FULL

REGULATORY OR LSC IDENTIFYING INFORMATION)


Findings

During an interview on 122209 at 310 pm Staff A (director of regulatory affairs) stated Physician 1 took copies of Patient 1 2 3 4 amp 5s initial infectious disease consultation forms home on IIIIIIIIIJ9 The forms had the patients name medical record number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physician 1 was Not supposed to take medical records home

Staff A said the facility became aware of the incident on 111111111)9middot The Department was notified on - 09 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on 1111109

A review of the facilitys Health middot Information

Services Confidentiality Security and Release of Protected Health Information policy indicated the

following



Procedure


PROVIDERS PLAN OF CORRECTION (XS)ID (EACH CORRECTIVE ACTION SHOULD BE CROSS COMPLETEPREFIX IbullREFERENCED TOTHE APPROPRIATE DEFICIENCY) DATETAG

The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct Privacy Roundswithin the hospital departments to educate hospital staff about privacy security and awareness to validate staff knowledge regarding privacy security and awareness as well as to identify issues requiring corrective action by managers Findings are reported to the Privacy Committee (see Attachments 3 4 5)

Monitoring The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct monthly audits of the Ufetime Clinical Record LCR) of all employees of the City ampCounty of San Francisco Department of Public Health (CCSF DPH) and of all employees of the University of California San Francisco (UCSF) who received careas patients at the hospital (emergency department clinics acute care skilled nursing) to verify if the LCR access was appropriate the total number of audits conducted per month average between 25-30 Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee

The SFGH Privacy Officer and the SFGH Privacy Analyst conduct audits of the Lifetime Clinical Record (LCR) of any patient as requested by managers to verify if the LCR access was appropriate eg media high profile cases VIPs Questionable audit results are investigated with the manager and employee and action taken as indicated by the

investiaation Audit results are reported

Initiated June 2012 and ongoing


Ongoing

Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing it is determined


of survey whether or nota plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following


participation

-middot- -- - ----4middot---------middot-middot-middotmiddotmiddot-middotmiddot- -middotmiddotmiddot-middot--middot----middot----middotmiddot------middot State-2567 ot 5

4f

CALIFORNIA HEALTH AND HUMAN SERVICES SENCY

DEPARTMENT OF PU~LIC HEALTH 1

STlTEMENT OF DEFICIENCIES

ANO PLAN OF CORRECTION

(X 1) PROVIDERSUPPLIERCUA (X 2) MULTIPLE CONSTRUCTION

IOENTIFICA TION NUMBER

A BUILDING

050228 B WING

(X3) DATE SURVEY

COMPLETED

12232009


SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 941 10-3518 SAN FRANCISCO COUNTY

(X4) 1D PREFIX

TAG

SUMMARY STATEMENT OF DEFICIENCIES I I(EACH DEFICIENCY MUST BE PRECEEDED BY FULL I

REGULATORY OR LSC IDENTIFYING INFORMATION) I

I I


Physician 1 failed to follow the facilitys Health Information Seivices Confidentiality Security and Release of Protected Health Information policy when he removed protected health information from the facility The information was later stolen from Physician 1s car

The employees removal of patient records from the hospital and the subsequent theft of those records from the employees home violated Health and Safety Code 128015 making the hospital subject to the applicable civil money penalty assessment

ID PREFIX

TAG

l PROVIDERS PLAN OF CORRECTION

(EACH CORRECTIVE ACTION SHOUU) BE CROSSshyI REFERENCED TO THE APPROPRIATE DEFICIENCY)

quarterty to the Privacy Committee

The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarQng privacy issues to the SFGH Quality Council In addition they report any incidents of non-compliance with DPH and SFGH privacy policies which occur during the year at the next scheduled SFGH Quality Council

ResponsiblePerson(s) SFGH Privacy Officer CHNSenior Information Systems Manager

CA DEPT OFFUBUCHEALTH t

~ t~

SEP 14 it i middotmiddot

1

middot-~ LampC DVISON middotmiddotmiddot~it SAN FRANCISCO middot

I (X5

COMPIJ 11

llAII

Ongoing June 2009

Ongoing

Event IDY7 1G11 8242012 113956AM

LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE

A ny deficiency sta tement ending with an asterisk (bull) denotes a deficiency which the instituhon may be excused from correchng providing it is de1ermmed

lhat other safeguards provide sufficient protection to the patients Except tor nursing homes the findings above are disclosable 90 days lollowing the date

of survey whether or not a plan of correc110n is provided For nursing homes the above findings and plans or correction are disclosable 14 days follow1n9

the d ate these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requisite to continued program

participation

State-2567 S of S

CALIFORNIA HtA L I H ANU H UIVIAN gttKVlt Altt111 T

DEPARTMENT OF PUBLIC HEALTH (

(X3) DATE SURVEY (X1) PR011lERISUPPLIERCLIA I (X2) MULTIPLE CONSTR~ 1VNSTATEMENT OF DEFICIENCIES COMPLETED IDENTIFICATION NUMBERANO PLAN OF CORRECTION bullA BUILDING

I S WING 12232009050228 middot

STREET ADDRESS CITY STATE ZIP CODE

10_01 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY NAME OF PROVIDER OR SUPPLIER

SAN F RANCISCO GENERAL HOSPITAL

suMMARY srATEMAFia~1~Ntks (X4) 10

PREFIX (EACH DEFICIENCY MUST BE PRECEEDED BY FULL

TAG REGULATORY OR LSC IDENTIFYING INFORMATION)

s1LI0 f i1middotia11t1

CoRtinued From page

Substantiated

Informed Medical Breach

Health and Safety Code Section 128015 (b)(2) A clinic health facility agency or hospice shall also report any unlawful or unauthori4ed access to or use or disclosure of a patients medicalmiddotinformation to the affected patient or the patients representative at the last known address no later than five business days middot after the unlawful or unauthorized access use or disclosure has been detected by the clinic health facility agency or hospice



(a) A clinic health facility home health agency or hospice licensed pursuant to Section 1204 1250 1725 middot or 1745 shall prevent unlawful or unauthorized access to and use or disclosure of patien_ts medical information as defined in subdivision (g) ofSection 5605 of the Civil Code and consistent with Section 130203 The department afterinvestigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25000) per patient whose medical information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars

PROVIOERS PLAN OF CORRECTION (X5)

(EAOi CORRECTIVE ACTION SHOULD BE CROSSshy COMP ff I

REFERENCED TOTHE APPROPRIA E DEFICIENCY) I l)A11shyI

I 1 PREFIX t

I bull nr-n bull A w) 1 bull JI 5ft t middot l)LI I bullII

I f T - middot ~ I bullmiddot1 gtlt

bull Systems Departments meets monthly to review discuss amiddotnd recommend policy involving privacy compliance issues middot

In follow-up to a review of facility- related Manageshyprivacy breach cases reported to CDPH ment conducted by the SFGH Privacy Officer with Forum SFGH managers at the monthly Management Afgtril 24 Forum meeting including this 2009 incident 2012 theSFGH Chief of Staff and SFGH Privacy Officer presented the same review to the Chiefs of Service at a Medical Executive Committee (MEC) reminding the c~iefs about the hospital MEC and SFDPH privacy and security policies May 14 prohibiting the removal of patient protected 2012 information (PHI) including copies of the paper medical record froin the hospital as well as the penalties for violating these policies and the penalties for violating provisions of SB541 and middot AB211 (see Attachments 2 )

The SFGH Privacy Officer and the SFGH Initiated Privacy Analyst routinely conduct Privacy June2012 Roundswithin the hospital departments to and educate hqspital staff about privacy security and ongoing awareness to validate staff knowledge regarding privacy security and awareness as well as to identify issues requiring corrective action by managers Findings are reported to the Privacy Committee (see Attachments 34 5)

Monitoring The SFGH Privacy Officer and the SFGH Initiated Privacy Arialyst routinely conduct monthly audits June 2012 of the Ufetime Clinical Record (LCR) of all and employees of the City amp County of San ongoing Francisco Department of Public Health (CCSF

r 11

_i

-

I

8242012 113956AM

1tG t_4 i

Event 1DY71G11

TITLE (X6) DATE LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE

Any deficiency statement ending wilh an asterisk (middot) denoles a deficiency which the institulion may be excused from correcling providing it is determined

lhal other safeguards provide sufficienl protection to the patients Except for nursing homes lhe findings above are disclosable 90 days following the date

of survey whether or not a plan of correclion is prolllded For nursing homes the above findings and plans of correction are disclosable 14 days following

the dale lhese documents are made available to the facility If deficiencies are ciled an approved plan of correction is requisile lo continued program

participalion-----middot -------middot-- shy------ -- --middot-- - _ __ 2or 5




A BUILDING

050228 B WING 12232009




l ~ (jfU~L


middotv 1 ~ 10












Ongoing



Ongoing

Event 1DY71G11 8242012 113956AM






participation


A

---




A BUILDING

050228 B MNG 12232009












I

II



June 2009


t in Ongoing

SEP 1 4


l _ --___ __ Event ID_Y71G11 8242012 11 3956AM






participahon

3 ol ~


A BUILDING

8 ftING050228 12232009









Findings







Procedure













E vent 1DY71G1 1 8242012 11 3956AM






participation

State-2567 4 of 5




8242012 113956AMEvent IDY71 G11


(X4) ID

PREFIX

TAG





Findings





following



Procedure









Ongoing





participation


4f







A BUILDING

050228 B WING

(X3) DATE SURVEY

COMPLETED

12232009



(X4) 1D PREFIX

TAG



I I




ID PREFIX

TAG







~ t~


1


I (X5

COMPIJ 11

llAII

Ongoing June 2009

Ongoing

Event IDY7 1G11 8242012 113956AM






participation

State-2567 S of S




A BUILDING

050228 B WING 12232009




l ~ (jfU~L


middotv 1 ~ 10












Ongoing



Ongoing

Event 1DY71G11 8242012 113956AM






participation


A

---




A BUILDING

050228 B MNG 12232009












I

II



June 2009


t in Ongoing

SEP 1 4


l _ --___ __ Event ID_Y71G11 8242012 11 3956AM






participahon

3 ol ~


A BUILDING

8 ftING050228 12232009









Findings







Procedure













E vent 1DY71G1 1 8242012 11 3956AM






participation

State-2567 4 of 5




8242012 113956AMEvent IDY71 G11


(X4) ID

PREFIX

TAG





Findings





following



Procedure









Ongoing





participation


4f







A BUILDING

050228 B WING

(X3) DATE SURVEY

COMPLETED

12232009



(X4) 1D PREFIX

TAG



I I




ID PREFIX

TAG







~ t~


1


I (X5

COMPIJ 11

llAII

Ongoing June 2009

Ongoing

Event IDY7 1G11 8242012 113956AM






participation

State-2567 S of S




A BUILDING

050228 B MNG 12232009












I

II



June 2009


t in Ongoing

SEP 1 4


l _ --___ __ Event ID_Y71G11 8242012 11 3956AM






participahon

3 ol ~


A BUILDING

8 ftING050228 12232009









Findings







Procedure













E vent 1DY71G1 1 8242012 11 3956AM






participation

State-2567 4 of 5




8242012 113956AMEvent IDY71 G11


(X4) ID

PREFIX

TAG





Findings





following



Procedure









Ongoing





participation


4f







A BUILDING

050228 B WING

(X3) DATE SURVEY

COMPLETED

12232009



(X4) 1D PREFIX

TAG



I I




ID PREFIX

TAG







~ t~


1


I (X5

COMPIJ 11

llAII

Ongoing June 2009

Ongoing

Event IDY7 1G11 8242012 113956AM






participation

State-2567 S of S


A BUILDING

8 ftING050228 12232009









Findings







Procedure













E vent 1DY71G1 1 8242012 11 3956AM






participation

State-2567 4 of 5




8242012 113956AMEvent IDY71 G11


(X4) ID

PREFIX

TAG





Findings





following



Procedure









Ongoing





participation


4f







A BUILDING

050228 B WING

(X3) DATE SURVEY

COMPLETED

12232009



(X4) 1D PREFIX

TAG



I I




ID PREFIX

TAG







~ t~


1


I (X5

COMPIJ 11

llAII

Ongoing June 2009

Ongoing

Event IDY7 1G11 8242012 113956AM






participation

State-2567 S of S




8242012 113956AMEvent IDY71 G11


(X4) ID

PREFIX

TAG





Findings





following



Procedure









Ongoing





participation


4f







A BUILDING

050228 B WING

(X3) DATE SURVEY

COMPLETED

12232009



(X4) 1D PREFIX

TAG



I I




ID PREFIX

TAG







~ t~


1


I (X5

COMPIJ 11

llAII

Ongoing June 2009

Ongoing

Event IDY7 1G11 8242012 113956AM






participation

State-2567 S of S







A BUILDING

050228 B WING

(X3) DATE SURVEY

COMPLETED

12232009



(X4) 1D PREFIX

TAG



I I




ID PREFIX

TAG







~ t~


1


I (X5

COMPIJ 11

llAII

Ongoing June 2009

Ongoing

Event IDY7 1G11 8242012 113956AM






participation

State-2567 S of S

r~.c~, department qf public health ki .. i h .., … document librar… · 23.12.2009 ·...

Documents