r~.c~, department qf public health ki .. i h .., … document librar… · 23.12.2009 ·...
TRANSCRIPT
CALIFORNIA HEALTH AND HUMAN SERVICES ArENCY r~c~ t1~~tt1 DEPARTMENT QF PUBLIC HEALTH ( middot I KI I h lbbull - 1--
IS TATEMENT OF DEFICIENCIES
AND PLAN OF CORRECTION
(Xl) PROVIDERSUPPLIERCUA
IDENT1FJCAT10N NUMBER
050228
(X2) MULTIPLE CONSTRUCTION
A BUILDING
B MNG
(fa) DATJslii ~V-
COMPLETED
12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
(X4) ID SUMMARY STATEMENT OF DEFICIENCIES
(EACH DEFICIENCY MUST BE PRECEEOED BY FULL
REGULATORY OR LSC IDENTIFYING INFORMATION
ID
The following reflects the findings of the Department of Public Health during a complainVbreach event visit
Complaint Intake NumberCA00211950 - Substantiated
Representing the Department of Public Health Suleyor ID 23107 HFEN
The inspection was limited to the specific faci lity event investigated and does not represent the findings of a full inspection of the facility
Health and Safety Code Section 128015(a) A clinic health facility home health agency or hospdegice licensed pursuant to Section 1204 1250 1725 or 1745 shall prevent unlawful or unauthorized access to and use or disclosure of patients medical information as defined in subdivision (g) of Section 5605 of the Civil Code and consistent with Section 130203 The department after investigation may assess an administrative p~nalty for a violation of t~is section of up to twenty-five thousand dollars ($25000) per patient whose medical information was unlawfully or without authorization accessed middot used or disclosed and up to seventeen thousand five hundred dollars ($17 500) per subsequent occurrence middotof unlawful or unauthorized access use or disclosure of that patients medical information
For CA00211950 violation of Health and Safety Code 128015(a) for failure to prevent unauthorized access to patients medical information
PROVIDERS PUN OF CORRECTION
(EACH CORRECTIVE ACTION SHOULD BE CROSS REFERENCED TO THE APPROPRIATE DEFICIENCY
(XS) PREFIX PREFIX COMPLETE
TAG TAG DATE
middot ~ [ 1 Ii ~ JH middot middot j p Jf( I bulli~middotC hI bull J li bullh - iJbamp
~()bull middot
SEP 1 4 2012 fmiddotmiddot ~
I
-- ~) ~ l~~c DlViSCN i
SAN FPANCISCO
Action(s)The employee involved in this privacy breach
June 2009had been oriented to their responsibilities toprotect the confidentiality of patient protectedhealth information (PHI) and to medicalinformation privacy requirements and wascounseled following the self-report of theincident (see Attachment 1)
Before and after this privacy breach incident in 2009 hospital leadership has engaged in ongoingefforts via memos emails staff trainings and employee annual update trainingto ensure that hospital staff are educated and knowledgeable about hospital and SFOPHprivacy and security policies
I The SFGH multidsciplinary Privacy Committee composed of the SFGH Privacy Officer and staff from the SFGH Privacy Office
Ongoing
II
InitiatedJuly 122011 andthe SFGH Chief Medical Officer the SFGH Chief ongoingCommunications Officer representatives from
the SFGH Legal Affairs Regulatory AffairsHealth Information Systems departments aswell as representatives from both the SFGH and UCSF Risk Management and Information
Event IDY7 1G11 8242012 11 3956AM
LA~TORY DIRECTORS OR PROVIDERSUPPLIER R~SENTATIVES SIGNATURE TITLE
~ Q f2M~ Ms Ceo middot Any deficiency statement ending with an asterisk () denoles a deficiency which the tnsl1tution may be excused from correcting providing it 1s determined
that other safeguards provide sufficient protection Jo the patients Except for nursing homes the findings above are d1sclosabte 90 days following lhe date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are disctosabte 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction is requisite to continued program
particpation i _i nI ___1~~~---~ middot-shy
~ 1 ol 5
CALIFORNIA HtA L I H ANU H UIVIAN gttKVlt Altt111 T
DEPARTMENT OF PUBLIC HEALTH (
(X3) DATE SURVEY (X1) PR011lERISUPPLIERCLIA I (X2) MULTIPLE CONSTR~ 1VNSTATEMENT OF DEFICIENCIES COMPLETED IDENTIFICATION NUMBERANO PLAN OF CORRECTION bullA BUILDING
I S WING 12232009050228 middot
STREET ADDRESS CITY STATE ZIP CODE
10_01 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY NAME OF PROVIDER OR SUPPLIER
SAN F RANCISCO GENERAL HOSPITAL
suMMARY srATEMAFia~1~Ntks (X4) 10
PREFIX (EACH DEFICIENCY MUST BE PRECEEDED BY FULL
TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
s1LI0 f i1middotia11t1
CoRtinued From page
Substantiated
Informed Medical Breach
Health and Safety Code Section 128015 (b)(2) A clinic health facility agency or hospice shall also report any unlawful or unauthori4ed access to or use or disclosure of a patients medicalmiddotinformation to the affected patient or the patients representative at the last known address no later than five business days middot after the unlawful or unauthorized access use or disclosure has been detected by the clinic health facility agency or hospice
The CDPH verified that the facility informed the affected patient(s) or the patients representative(s) of the unlawful or unauthorized access use or disclosure of the patients medical information
128015(a) Health amp Safety Code 1280
(a) A clinic health facility home health agency or hospice licensed pursuant to Section 1204 1250 1725 middot or 1745 shall prevent unlawful or unauthorized access to and use or disclosure of patien_ts medical information as defined in subdivision (g) ofSection 5605 of the Civil Code and consistent with Section 130203 The department afterinvestigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25000) per patient whose medical information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars
PROVIOERS PLAN OF CORRECTION (X5)
(EAOi CORRECTIVE ACTION SHOULD BE CROSSshy COMP ff I
REFERENCED TOTHE APPROPRIA E DEFICIENCY) I l)A11shyI
I 1 PREFIX t
I bull nr-n bull A w) 1 bull JI 5ft t middot l)LI I bullII
I f T - middot ~ I bullmiddot1 gtlt
bull Systems Departments meets monthly to review discuss amiddotnd recommend policy involving privacy compliance issues middot
In follow-up to a review of facility- related Manageshyprivacy breach cases reported to CDPH ment conducted by the SFGH Privacy Officer with Forum SFGH managers at the monthly Management Afgtril 24 Forum meeting including this 2009 incident 2012 theSFGH Chief of Staff and SFGH Privacy Officer presented the same review to the Chiefs of Service at a Medical Executive Committee (MEC) reminding the c~iefs about the hospital MEC and SFDPH privacy and security policies May 14 prohibiting the removal of patient protected 2012 information (PHI) including copies of the paper medical record froin the hospital as well as the penalties for violating these policies and the penalties for violating provisions of SB541 and middot AB211 (see Attachments 2 )
The SFGH Privacy Officer and the SFGH Initiated Privacy Analyst routinely conduct Privacy June2012 Roundswithin the hospital departments to and educate hqspital staff about privacy security and ongoing awareness to validate staff knowledge regarding privacy security and awareness as well as to identify issues requiring corrective action by managers Findings are reported to the Privacy Committee (see Attachments 34 5)
Monitoring The SFGH Privacy Officer and the SFGH Initiated Privacy Arialyst routinely conduct monthly audits June 2012 of the Ufetime Clinical Record (LCR) of all and employees of the City amp County of San ongoing Francisco Department of Public Health (CCSF
r 11
_i
-
I
8242012 113956AM
1tG t_4 i
Event 1DY71G11
TITLE (X6) DATE LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE
Any deficiency statement ending wilh an asterisk (middot) denoles a deficiency which the institulion may be excused from correcling providing it is determined
lhal other safeguards provide sufficienl protection to the patients Except for nursing homes lhe findings above are disclosable 90 days following the date
of survey whether or not a plan of correclion is prolllded For nursing homes the above findings and plans of correction are disclosable 14 days following
the dale lhese documents are made available to the facility If deficiencies are ciled an approved plan of correction is requisile lo continued program
participalion-----middot -------middot-- shy------ -- --middot-- - _ __ 2or 5
CALIFORNIA HEALTH AND HUMAN SERVICESmiddot ENCY
DEPARTMENTmiddotOF PUBLIC HEALTH STATEMENT OF DEFICIENCIES (X1) PROVIOER SUPPU ERICLIA (X2) MULTIPLE CONSTRUCTION (X3) OATE SURVEY
AND PLAN OF CORRECTION IDENTIFICATION NUMBER COMPLETED
A BUILDING
050228 B WING 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZJP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
(X4JID SUMMARY STATEMENT OF DAi~ftf(EACH DEFICIENCY MUST ~i i
l ~ (jfU~L
REGULATORY OR LSC IOE~ ING JroRMATION)
middotv 1 ~ 10
Continued From page 1 SEP 14 012 Substantiated
~LampC c 11J~_middotiJfnformed Medical Breach SAN FRANCiSCC
Hlalth and Safety C_ode Section 128015 (b)(2) A clinic health facility agency or hospice shall also report any unlawful or unauthorized access to or use or disclosure of a patients medical information to the affected patient or fhe patients represfntative at the last known address no later than five business days after the unlawful or unauthorized access use or disclosure has middotbeen detected by the clinic health facility agency or hospice
The CDPH verified that the facility informed the affected patient(s) or the patients representative(s) of the unlawful or unauthorized access use or disclosure of the patients medical information
128015(a) Health amp Safety Code 1280
(a) A clinic health facility home health agency or hospice licensed pursuant to Section 1204 1250 1725 or 1745 shall prevent unlawful or unauthorized access to and use or disclosure of patien_ts medical information as defined in subdivision (g) of Section 5605 of the Civil Code and consistent with Section 130203 The department after investigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25000) per patient whose medical information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars
PROVIDERS PLAN OF CORRECTION (X5)
(EACH CORRECTIVE ACTION SHOULD BE CROSSshy COMPlf l F REFERENCED TO rHE APPROPRIATE DEFICIENCY) llA1[
PREFIX _ tJC e d J~]tlTAG
DPH) and of all employees of the University of camomia San Francisco (UCSF) who received care as patients at the hospital (emergency department clinics acute care skilled nursing) to verify if the LCR access was appropriate the total number of audits conducted per month average between 25-30 Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
The SFGH Privacy Officer and the SFGH Privacy Analyst conduct audits of the Ufetime Clinical Record (LCRJ of any patient as requested by managers to verify if the LCR access was appropriate eg media high profile cases VIPs Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
Ongoing
The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarding privacy issues to the SFGH Quality Council In aodition they report any incidents of non-compliance with DPH and SFG_Hprivacy policies which occur during the year at the next scheduled SFGH Quality Council
Responsible Person(s) SFGH Privacy Officer CHN Senior Information Systems Manager
Ongoing
Event 1DY71G11 8242012 113956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE T ITLE (X6) DATE
Any deficiency statement ending with an asterisk (bull) denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing homes the findings above are disclosable 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are d1sclosable 14 days following
the date these documents are made available to the facility If defic1ences are cited an approved plan of correction is requisite to continued program
participation
middot----- ---middot----------- ------ ----- -- middot-middot --middotmiddot-middot-middot-middot 2 015
A
---
CALIFORNIA HEAL TH AND HUMAN SERVICE~ GENCY
DEPARTMENT OF PUBLIC HEAL TH
(X 1) PROVIDERSUPPLIERCUASTATEMENT OF DEFICIENCIES (X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY IDENTIFICATION NUMBER AND PLAN OF CORRECTION COMPLETED
A BUILDING
050228 B MNG 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO G ENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
(X4)1D SUMMARY STATEMENT OF DEFICIENC IES 10
PREFIX (EACH DEFICIENCY MUST BE PRECEEOEO BY FULL PREFIX
TA9 REGULATORY OR LSC IDENTIFYING INFORMATION) TAG
Continued From page 2
($17500) per subsequent occurrence of unlawful or unauthorized access use or disclosure of that patients medical information For purposes of the investigation the department shall consider the clinics health facilitys agencys or hospices history of compliance with this section and other related middotstate and federal statutes and regulations the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring and factors outside its control that restricted the facilitys ability to comply with this section The department shall have full discretion to consider all factors when middot determining the amount of an administrative penalty pursuant to this section
T22 DIV5 CH1 ART7-70751b) Medical Record Availability (b) The medical record including X-ray films is the property of the hospital and is maintained for the benefit of the patient the medical staff and the hospital The hospital shall safeguard the information in the record against loss defacement tampering or use by unauthorized persons
These regulations were not met as evidenced by Based on interview and record review the facility failed to protect the medical records of five patients (Patient 1 2 3 4 amp 5) from loss and use by unauthorized persons when Physician 1 removed copies of part of the records from the facility Physicians 1s briefcase containing the patients medical information was stolen from his car on 12909
PROVIDERS PLAN OF CORRECTION (XS)
(EACH CORRE cnve ACTION SHOULD BE CROSSshy COMP Ello REFERENCED TO THE APPROPRIATE DEFICIENCY) DATE
I
II
T22 DIVS CHl1 ART7-70751 (b) Medical Record Availability 1 b) the medical record including X-ray films is the property of the hospital and is maintained for the benefit of the patient the medical staff and the hospital The hospital shall safeguard the information in the record against loss defacement tampering or use by unauthorized persons
Action(s) The employee involved in this privacy breach had been oriented to their responsibilities to protect the confidentiality of patient protected health information (PHI) and to medical information privacy requirements and was counseled folloMng the self-report of the incident (see Attachment 1)
June 2009
1 Before and after this privacy breach inciden2009 hospital leadership ~as e_nga--g_ed_i_n _
t in Ongoing
SEP 1 4
tampCCMSON SN FP~NCISCO
l _ --___ __ Event ID_Y71G11 8242012 11 3956AM
LABORATORY DIRECTORS OR PROV1DERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE
Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing 11 is deltermined
1hal other safeguards provide sufficienl protection to the patients Except for nursing homes thefindings above are disclosabte 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of coltrection is requi site to continued program
participahon
3 ol ~
(X1) PROVIDERSUPPLIERCLIA (X2) MULTIPLE CONSTRUCTION (X3) DATE SURVFYSTATEMENT OF DEFICIENCIES IDENTIFICATION NUMBER COMPLllFIgtAND PLAN OF CORRECTION
A BUILDING
8 ftING050228 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
CALIFO RNIA HEALTH AND HUMAN SERViCES ENCY
DEPARTMENTOF PUBLIC HEALTH ~
(X4) 10 SUMMARY STATEMENT OF DEFICIENCIES ID
PREFIX (EACH DEFICIENCY MUST BE PRECEEDED BY FULL PREFIX
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG
Continued From page 3
Findings
During an interview on 122209 at 3 10 pm Staff A (director of regulatory affairs) stated Physician 1
took copies of Patient 1 2 3 4 amp Ss initial infectious disease consultation forms home on iagt9 The forms had the patients name medical recofd number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physici~n 1 was Not supposed to take medical records home
Staff A said the facility became aware of the incident on llllllos The Department was notified on ~ 9 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on - 9
A review of the facilitys Health Information Services Confidentiality Security and Release of Protected Health Information policy indicated the following
Purpose The purpose of this policy is to ensure
The confidentiality of protected health information
Procedure
D They (medical records) must not be taken from (name of facility) premises for any reason
PROVIDERS PLAN OF CORRECTION j (XS)
(EACH CORRECTIVE ACTION SHOULD BE CROSSshy COMPLETE IREFERENCED T O THE APPROPRIATE DEFICIENCY) DIITE
i ongoing efforts via memos emails staff 1
trainings and employee annual update training 1 to ensure that hospital staff are educated and
knowledgeable about hospital and SFDPHprivacy and security policies
InitiatedThe SFGH multidsciplinary PrivacyJuly 12Committee composed ofthe SFGH Privacy2011 andOfficer and staff from the SFGH Privacy Office ongoingthe SFGH Chief Medical Officerthe SFGH Chief
Communications Officer representatives from the SFGH Legal Affairs Regulatory Affairs Health Information Systems departments as well as representatives from both the SFGH and UC$F Risk Management and lnfonTiation middot Systems Departments meets monthlyto review discuss and recommend policy involving privacy compliance issues
ManageshyIn follow-up to a review of facility- relatedmentprivacy breach cases reported to CDPHForumconducted by the SFGH Privacy Officer with April 24SFGH managers at the monthly Management2012Forumrn~_eijog including this 2009 inciden~
i the SFGH Chief of Staff and SFGH PrivacyOfficer presented the same review to the Chiefsof SeNice at a Medical Executive Committee (MEC) reminding the chiefs about thehospital MEC and SFDPH privacy and security policies May 14prohibiting the removal of patient protected 2012 infonnation (PHI) including copies of the paper medical record from the hospital as well as the
middot penalties for violating these policies and the penalties for violating provisions of SB541 and AB211 (see Attachments 2) =- pi - E _ JH
I CA DEPdegl OF PtJ8F1LJ n~middot I I middot1~= middot I fr-n 1 A i-n ir -i imiddot
E vent 1DY71G1 1 8242012 11 3956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DAT1M ~ middoti- LP~C OMSiON i~~ middot
SAN FAA~JCISCO Any deficiency statement ending with an asterisk(middot) denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing hones the findings above are disclosable 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are d1sclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requ1S1te to continued program
participation
State-2567 4 of 5
rA Dmicro D~PUBI_H~ H~ALTH~------=-----------------------------~ltLtushy(X2) MULTIPLE CONSTRUCTION ()lt3) DATE SURVEY(X1) PROVIOERSUPPLIERCLIASTATEMENT OF DEFICIENCIES COMPLETFOIDENTIFICATION NUMBERANO PLAN OF CORRECTION
A BUILDING t~middot SEP 1 4 l Omiddot-LC B WlNG t 12232009050228
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP cooe shy l~G ~tviaigra ~ SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 9411~ltfrac14l~ANemC6CO COUNTY
8242012 113956AMEvent IDY71 G11
TITLE (X6) DATELABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE
(X4) ID
PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES
(EACH DEFICIENCY MUST BE PRECEEOEO BY FULL
REGULATORY OR LSC IDENTIFYING INFORMATION)
Continued From page 3
Findings
During an interview on 122209 at 310 pm Staff A (director of regulatory affairs) stated Physician 1 took copies of Patient 1 2 3 4 amp 5s initial infectious disease consultation forms home on IIIIIIIIIJ9 The forms had the patients name medical record number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physician 1 was Not supposed to take medical records home
Staff A said the facility became aware of the incident on 111111111)9middot The Department was notified on - 09 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on 1111109
A review of the facilitys Health middot Information
Services Confidentiality Security and Release of Protected Health Information policy indicated the
following
Purpose The purpose of this policy is to ensure
The confidentiality of protected health information
Procedure
D They (medical records) must not be taken from (name of facility) premises for any reason
PROVIDERS PLAN OF CORRECTION (XS)ID (EACH CORRECTIVE ACTION SHOULD BE CROSS COMPLETEPREFIX IbullREFERENCED TOTHE APPROPRIATE DEFICIENCY) DATETAG
The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct Privacy Roundswithin the hospital departments to educate hospital staff about privacy security and awareness to validate staff knowledge regarding privacy security and awareness as well as to identify issues requiring corrective action by managers Findings are reported to the Privacy Committee (see Attachments 3 4 5)
Monitoring The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct monthly audits of the Ufetime Clinical Record LCR) of all employees of the City ampCounty of San Francisco Department of Public Health (CCSF DPH) and of all employees of the University of California San Francisco (UCSF) who received careas patients at the hospital (emergency department clinics acute care skilled nursing) to verify if the LCR access was appropriate the total number of audits conducted per month average between 25-30 Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
The SFGH Privacy Officer and the SFGH Privacy Analyst conduct audits of the Lifetime Clinical Record (LCR) of any patient as requested by managers to verify if the LCR access was appropriate eg media high profile cases VIPs Questionable audit results are investigated with the manager and employee and action taken as indicated by the
investiaation Audit results are reported
Initiated June 2012 and ongoing
Initiated June 2012 and ongoing
Ongoing
Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing homes the findings above are disclosable 90 days following the date
of survey whether or nota plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction is requisite to continued program
participation
-middot- -- - ----4middot---------middot-middot-middotmiddotmiddot-middotmiddot- -middotmiddotmiddot-middot--middot----middot----middotmiddot------middot State-2567 ot 5
4f
CALIFORNIA HEALTH AND HUMAN SERVICES SENCY
DEPARTMENT OF PU~LIC HEALTH 1
STlTEMENT OF DEFICIENCIES
ANO PLAN OF CORRECTION
(X 1) PROVIDERSUPPLIERCUA (X 2) MULTIPLE CONSTRUCTION
IOENTIFICA TION NUMBER
A BUILDING
050228 B WING
(X3) DATE SURVEY
COMPLETED
12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 941 10-3518 SAN FRANCISCO COUNTY
(X4) 1D PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES I I(EACH DEFICIENCY MUST BE PRECEEDED BY FULL I
REGULATORY OR LSC IDENTIFYING INFORMATION) I
I I
Continued From page 4
Physician 1 failed to follow the facilitys Health Information Seivices Confidentiality Security and Release of Protected Health Information policy when he removed protected health information from the facility The information was later stolen from Physician 1s car
The employees removal of patient records from the hospital and the subsequent theft of those records from the employees home violated Health and Safety Code 128015 making the hospital subject to the applicable civil money penalty assessment
ID PREFIX
TAG
l PROVIDERS PLAN OF CORRECTION
(EACH CORRECTIVE ACTION SHOUU) BE CROSSshyI REFERENCED TO THE APPROPRIATE DEFICIENCY)
quarterty to the Privacy Committee
The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarQng privacy issues to the SFGH Quality Council In addition they report any incidents of non-compliance with DPH and SFGH privacy policies which occur during the year at the next scheduled SFGH Quality Council
ResponsiblePerson(s) SFGH Privacy Officer CHNSenior Information Systems Manager
CA DEPT OFFUBUCHEALTH t
~ t~
SEP 14 it i middotmiddot
1
middot-~ LampC DVISON middotmiddotmiddot~it SAN FRANCISCO middot
I (X5
COMPIJ 11
llAII
Ongoing June 2009
Ongoing
Event IDY7 1G11 8242012 113956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE
A ny deficiency sta tement ending with an asterisk (bull) denotes a deficiency which the instituhon may be excused from correchng providing it is de1ermmed
lhat other safeguards provide sufficient protection to the patients Except tor nursing homes the findings above are disclosable 90 days lollowing the date
of survey whether or not a plan of correc110n is provided For nursing homes the above findings and plans or correction are disclosable 14 days follow1n9
the d ate these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requisite to continued program
participation
State-2567 S of S
CALIFORNIA HtA L I H ANU H UIVIAN gttKVlt Altt111 T
DEPARTMENT OF PUBLIC HEALTH (
(X3) DATE SURVEY (X1) PR011lERISUPPLIERCLIA I (X2) MULTIPLE CONSTR~ 1VNSTATEMENT OF DEFICIENCIES COMPLETED IDENTIFICATION NUMBERANO PLAN OF CORRECTION bullA BUILDING
I S WING 12232009050228 middot
STREET ADDRESS CITY STATE ZIP CODE
10_01 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY NAME OF PROVIDER OR SUPPLIER
SAN F RANCISCO GENERAL HOSPITAL
suMMARY srATEMAFia~1~Ntks (X4) 10
PREFIX (EACH DEFICIENCY MUST BE PRECEEDED BY FULL
TAG REGULATORY OR LSC IDENTIFYING INFORMATION)
s1LI0 f i1middotia11t1
CoRtinued From page
Substantiated
Informed Medical Breach
Health and Safety Code Section 128015 (b)(2) A clinic health facility agency or hospice shall also report any unlawful or unauthori4ed access to or use or disclosure of a patients medicalmiddotinformation to the affected patient or the patients representative at the last known address no later than five business days middot after the unlawful or unauthorized access use or disclosure has been detected by the clinic health facility agency or hospice
The CDPH verified that the facility informed the affected patient(s) or the patients representative(s) of the unlawful or unauthorized access use or disclosure of the patients medical information
128015(a) Health amp Safety Code 1280
(a) A clinic health facility home health agency or hospice licensed pursuant to Section 1204 1250 1725 middot or 1745 shall prevent unlawful or unauthorized access to and use or disclosure of patien_ts medical information as defined in subdivision (g) ofSection 5605 of the Civil Code and consistent with Section 130203 The department afterinvestigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25000) per patient whose medical information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars
PROVIOERS PLAN OF CORRECTION (X5)
(EAOi CORRECTIVE ACTION SHOULD BE CROSSshy COMP ff I
REFERENCED TOTHE APPROPRIA E DEFICIENCY) I l)A11shyI
I 1 PREFIX t
I bull nr-n bull A w) 1 bull JI 5ft t middot l)LI I bullII
I f T - middot ~ I bullmiddot1 gtlt
bull Systems Departments meets monthly to review discuss amiddotnd recommend policy involving privacy compliance issues middot
In follow-up to a review of facility- related Manageshyprivacy breach cases reported to CDPH ment conducted by the SFGH Privacy Officer with Forum SFGH managers at the monthly Management Afgtril 24 Forum meeting including this 2009 incident 2012 theSFGH Chief of Staff and SFGH Privacy Officer presented the same review to the Chiefs of Service at a Medical Executive Committee (MEC) reminding the c~iefs about the hospital MEC and SFDPH privacy and security policies May 14 prohibiting the removal of patient protected 2012 information (PHI) including copies of the paper medical record froin the hospital as well as the penalties for violating these policies and the penalties for violating provisions of SB541 and middot AB211 (see Attachments 2 )
The SFGH Privacy Officer and the SFGH Initiated Privacy Analyst routinely conduct Privacy June2012 Roundswithin the hospital departments to and educate hqspital staff about privacy security and ongoing awareness to validate staff knowledge regarding privacy security and awareness as well as to identify issues requiring corrective action by managers Findings are reported to the Privacy Committee (see Attachments 34 5)
Monitoring The SFGH Privacy Officer and the SFGH Initiated Privacy Arialyst routinely conduct monthly audits June 2012 of the Ufetime Clinical Record (LCR) of all and employees of the City amp County of San ongoing Francisco Department of Public Health (CCSF
r 11
_i
-
I
8242012 113956AM
1tG t_4 i
Event 1DY71G11
TITLE (X6) DATE LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE
Any deficiency statement ending wilh an asterisk (middot) denoles a deficiency which the institulion may be excused from correcling providing it is determined
lhal other safeguards provide sufficienl protection to the patients Except for nursing homes lhe findings above are disclosable 90 days following the date
of survey whether or not a plan of correclion is prolllded For nursing homes the above findings and plans of correction are disclosable 14 days following
the dale lhese documents are made available to the facility If deficiencies are ciled an approved plan of correction is requisile lo continued program
participalion-----middot -------middot-- shy------ -- --middot-- - _ __ 2or 5
CALIFORNIA HEALTH AND HUMAN SERVICESmiddot ENCY
DEPARTMENTmiddotOF PUBLIC HEALTH STATEMENT OF DEFICIENCIES (X1) PROVIOER SUPPU ERICLIA (X2) MULTIPLE CONSTRUCTION (X3) OATE SURVEY
AND PLAN OF CORRECTION IDENTIFICATION NUMBER COMPLETED
A BUILDING
050228 B WING 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZJP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
(X4JID SUMMARY STATEMENT OF DAi~ftf(EACH DEFICIENCY MUST ~i i
l ~ (jfU~L
REGULATORY OR LSC IOE~ ING JroRMATION)
middotv 1 ~ 10
Continued From page 1 SEP 14 012 Substantiated
~LampC c 11J~_middotiJfnformed Medical Breach SAN FRANCiSCC
Hlalth and Safety C_ode Section 128015 (b)(2) A clinic health facility agency or hospice shall also report any unlawful or unauthorized access to or use or disclosure of a patients medical information to the affected patient or fhe patients represfntative at the last known address no later than five business days after the unlawful or unauthorized access use or disclosure has middotbeen detected by the clinic health facility agency or hospice
The CDPH verified that the facility informed the affected patient(s) or the patients representative(s) of the unlawful or unauthorized access use or disclosure of the patients medical information
128015(a) Health amp Safety Code 1280
(a) A clinic health facility home health agency or hospice licensed pursuant to Section 1204 1250 1725 or 1745 shall prevent unlawful or unauthorized access to and use or disclosure of patien_ts medical information as defined in subdivision (g) of Section 5605 of the Civil Code and consistent with Section 130203 The department after investigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25000) per patient whose medical information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars
PROVIDERS PLAN OF CORRECTION (X5)
(EACH CORRECTIVE ACTION SHOULD BE CROSSshy COMPlf l F REFERENCED TO rHE APPROPRIATE DEFICIENCY) llA1[
PREFIX _ tJC e d J~]tlTAG
DPH) and of all employees of the University of camomia San Francisco (UCSF) who received care as patients at the hospital (emergency department clinics acute care skilled nursing) to verify if the LCR access was appropriate the total number of audits conducted per month average between 25-30 Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
The SFGH Privacy Officer and the SFGH Privacy Analyst conduct audits of the Ufetime Clinical Record (LCRJ of any patient as requested by managers to verify if the LCR access was appropriate eg media high profile cases VIPs Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
Ongoing
The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarding privacy issues to the SFGH Quality Council In aodition they report any incidents of non-compliance with DPH and SFG_Hprivacy policies which occur during the year at the next scheduled SFGH Quality Council
Responsible Person(s) SFGH Privacy Officer CHN Senior Information Systems Manager
Ongoing
Event 1DY71G11 8242012 113956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE T ITLE (X6) DATE
Any deficiency statement ending with an asterisk (bull) denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing homes the findings above are disclosable 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are d1sclosable 14 days following
the date these documents are made available to the facility If defic1ences are cited an approved plan of correction is requisite to continued program
participation
middot----- ---middot----------- ------ ----- -- middot-middot --middotmiddot-middot-middot-middot 2 015
A
---
CALIFORNIA HEAL TH AND HUMAN SERVICE~ GENCY
DEPARTMENT OF PUBLIC HEAL TH
(X 1) PROVIDERSUPPLIERCUASTATEMENT OF DEFICIENCIES (X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY IDENTIFICATION NUMBER AND PLAN OF CORRECTION COMPLETED
A BUILDING
050228 B MNG 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO G ENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
(X4)1D SUMMARY STATEMENT OF DEFICIENC IES 10
PREFIX (EACH DEFICIENCY MUST BE PRECEEOEO BY FULL PREFIX
TA9 REGULATORY OR LSC IDENTIFYING INFORMATION) TAG
Continued From page 2
($17500) per subsequent occurrence of unlawful or unauthorized access use or disclosure of that patients medical information For purposes of the investigation the department shall consider the clinics health facilitys agencys or hospices history of compliance with this section and other related middotstate and federal statutes and regulations the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring and factors outside its control that restricted the facilitys ability to comply with this section The department shall have full discretion to consider all factors when middot determining the amount of an administrative penalty pursuant to this section
T22 DIV5 CH1 ART7-70751b) Medical Record Availability (b) The medical record including X-ray films is the property of the hospital and is maintained for the benefit of the patient the medical staff and the hospital The hospital shall safeguard the information in the record against loss defacement tampering or use by unauthorized persons
These regulations were not met as evidenced by Based on interview and record review the facility failed to protect the medical records of five patients (Patient 1 2 3 4 amp 5) from loss and use by unauthorized persons when Physician 1 removed copies of part of the records from the facility Physicians 1s briefcase containing the patients medical information was stolen from his car on 12909
PROVIDERS PLAN OF CORRECTION (XS)
(EACH CORRE cnve ACTION SHOULD BE CROSSshy COMP Ello REFERENCED TO THE APPROPRIATE DEFICIENCY) DATE
I
II
T22 DIVS CHl1 ART7-70751 (b) Medical Record Availability 1 b) the medical record including X-ray films is the property of the hospital and is maintained for the benefit of the patient the medical staff and the hospital The hospital shall safeguard the information in the record against loss defacement tampering or use by unauthorized persons
Action(s) The employee involved in this privacy breach had been oriented to their responsibilities to protect the confidentiality of patient protected health information (PHI) and to medical information privacy requirements and was counseled folloMng the self-report of the incident (see Attachment 1)
June 2009
1 Before and after this privacy breach inciden2009 hospital leadership ~as e_nga--g_ed_i_n _
t in Ongoing
SEP 1 4
tampCCMSON SN FP~NCISCO
l _ --___ __ Event ID_Y71G11 8242012 11 3956AM
LABORATORY DIRECTORS OR PROV1DERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE
Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing 11 is deltermined
1hal other safeguards provide sufficienl protection to the patients Except for nursing homes thefindings above are disclosabte 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of coltrection is requi site to continued program
participahon
3 ol ~
(X1) PROVIDERSUPPLIERCLIA (X2) MULTIPLE CONSTRUCTION (X3) DATE SURVFYSTATEMENT OF DEFICIENCIES IDENTIFICATION NUMBER COMPLllFIgtAND PLAN OF CORRECTION
A BUILDING
8 ftING050228 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
CALIFO RNIA HEALTH AND HUMAN SERViCES ENCY
DEPARTMENTOF PUBLIC HEALTH ~
(X4) 10 SUMMARY STATEMENT OF DEFICIENCIES ID
PREFIX (EACH DEFICIENCY MUST BE PRECEEDED BY FULL PREFIX
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG
Continued From page 3
Findings
During an interview on 122209 at 3 10 pm Staff A (director of regulatory affairs) stated Physician 1
took copies of Patient 1 2 3 4 amp Ss initial infectious disease consultation forms home on iagt9 The forms had the patients name medical recofd number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physici~n 1 was Not supposed to take medical records home
Staff A said the facility became aware of the incident on llllllos The Department was notified on ~ 9 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on - 9
A review of the facilitys Health Information Services Confidentiality Security and Release of Protected Health Information policy indicated the following
Purpose The purpose of this policy is to ensure
The confidentiality of protected health information
Procedure
D They (medical records) must not be taken from (name of facility) premises for any reason
PROVIDERS PLAN OF CORRECTION j (XS)
(EACH CORRECTIVE ACTION SHOULD BE CROSSshy COMPLETE IREFERENCED T O THE APPROPRIATE DEFICIENCY) DIITE
i ongoing efforts via memos emails staff 1
trainings and employee annual update training 1 to ensure that hospital staff are educated and
knowledgeable about hospital and SFDPHprivacy and security policies
InitiatedThe SFGH multidsciplinary PrivacyJuly 12Committee composed ofthe SFGH Privacy2011 andOfficer and staff from the SFGH Privacy Office ongoingthe SFGH Chief Medical Officerthe SFGH Chief
Communications Officer representatives from the SFGH Legal Affairs Regulatory Affairs Health Information Systems departments as well as representatives from both the SFGH and UC$F Risk Management and lnfonTiation middot Systems Departments meets monthlyto review discuss and recommend policy involving privacy compliance issues
ManageshyIn follow-up to a review of facility- relatedmentprivacy breach cases reported to CDPHForumconducted by the SFGH Privacy Officer with April 24SFGH managers at the monthly Management2012Forumrn~_eijog including this 2009 inciden~
i the SFGH Chief of Staff and SFGH PrivacyOfficer presented the same review to the Chiefsof SeNice at a Medical Executive Committee (MEC) reminding the chiefs about thehospital MEC and SFDPH privacy and security policies May 14prohibiting the removal of patient protected 2012 infonnation (PHI) including copies of the paper medical record from the hospital as well as the
middot penalties for violating these policies and the penalties for violating provisions of SB541 and AB211 (see Attachments 2) =- pi - E _ JH
I CA DEPdegl OF PtJ8F1LJ n~middot I I middot1~= middot I fr-n 1 A i-n ir -i imiddot
E vent 1DY71G1 1 8242012 11 3956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DAT1M ~ middoti- LP~C OMSiON i~~ middot
SAN FAA~JCISCO Any deficiency statement ending with an asterisk(middot) denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing hones the findings above are disclosable 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are d1sclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requ1S1te to continued program
participation
State-2567 4 of 5
rA Dmicro D~PUBI_H~ H~ALTH~------=-----------------------------~ltLtushy(X2) MULTIPLE CONSTRUCTION ()lt3) DATE SURVEY(X1) PROVIOERSUPPLIERCLIASTATEMENT OF DEFICIENCIES COMPLETFOIDENTIFICATION NUMBERANO PLAN OF CORRECTION
A BUILDING t~middot SEP 1 4 l Omiddot-LC B WlNG t 12232009050228
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP cooe shy l~G ~tviaigra ~ SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 9411~ltfrac14l~ANemC6CO COUNTY
8242012 113956AMEvent IDY71 G11
TITLE (X6) DATELABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE
(X4) ID
PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES
(EACH DEFICIENCY MUST BE PRECEEOEO BY FULL
REGULATORY OR LSC IDENTIFYING INFORMATION)
Continued From page 3
Findings
During an interview on 122209 at 310 pm Staff A (director of regulatory affairs) stated Physician 1 took copies of Patient 1 2 3 4 amp 5s initial infectious disease consultation forms home on IIIIIIIIIJ9 The forms had the patients name medical record number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physician 1 was Not supposed to take medical records home
Staff A said the facility became aware of the incident on 111111111)9middot The Department was notified on - 09 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on 1111109
A review of the facilitys Health middot Information
Services Confidentiality Security and Release of Protected Health Information policy indicated the
following
Purpose The purpose of this policy is to ensure
The confidentiality of protected health information
Procedure
D They (medical records) must not be taken from (name of facility) premises for any reason
PROVIDERS PLAN OF CORRECTION (XS)ID (EACH CORRECTIVE ACTION SHOULD BE CROSS COMPLETEPREFIX IbullREFERENCED TOTHE APPROPRIATE DEFICIENCY) DATETAG
The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct Privacy Roundswithin the hospital departments to educate hospital staff about privacy security and awareness to validate staff knowledge regarding privacy security and awareness as well as to identify issues requiring corrective action by managers Findings are reported to the Privacy Committee (see Attachments 3 4 5)
Monitoring The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct monthly audits of the Ufetime Clinical Record LCR) of all employees of the City ampCounty of San Francisco Department of Public Health (CCSF DPH) and of all employees of the University of California San Francisco (UCSF) who received careas patients at the hospital (emergency department clinics acute care skilled nursing) to verify if the LCR access was appropriate the total number of audits conducted per month average between 25-30 Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
The SFGH Privacy Officer and the SFGH Privacy Analyst conduct audits of the Lifetime Clinical Record (LCR) of any patient as requested by managers to verify if the LCR access was appropriate eg media high profile cases VIPs Questionable audit results are investigated with the manager and employee and action taken as indicated by the
investiaation Audit results are reported
Initiated June 2012 and ongoing
Initiated June 2012 and ongoing
Ongoing
Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing homes the findings above are disclosable 90 days following the date
of survey whether or nota plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction is requisite to continued program
participation
-middot- -- - ----4middot---------middot-middot-middotmiddotmiddot-middotmiddot- -middotmiddotmiddot-middot--middot----middot----middotmiddot------middot State-2567 ot 5
4f
CALIFORNIA HEALTH AND HUMAN SERVICES SENCY
DEPARTMENT OF PU~LIC HEALTH 1
STlTEMENT OF DEFICIENCIES
ANO PLAN OF CORRECTION
(X 1) PROVIDERSUPPLIERCUA (X 2) MULTIPLE CONSTRUCTION
IOENTIFICA TION NUMBER
A BUILDING
050228 B WING
(X3) DATE SURVEY
COMPLETED
12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 941 10-3518 SAN FRANCISCO COUNTY
(X4) 1D PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES I I(EACH DEFICIENCY MUST BE PRECEEDED BY FULL I
REGULATORY OR LSC IDENTIFYING INFORMATION) I
I I
Continued From page 4
Physician 1 failed to follow the facilitys Health Information Seivices Confidentiality Security and Release of Protected Health Information policy when he removed protected health information from the facility The information was later stolen from Physician 1s car
The employees removal of patient records from the hospital and the subsequent theft of those records from the employees home violated Health and Safety Code 128015 making the hospital subject to the applicable civil money penalty assessment
ID PREFIX
TAG
l PROVIDERS PLAN OF CORRECTION
(EACH CORRECTIVE ACTION SHOUU) BE CROSSshyI REFERENCED TO THE APPROPRIATE DEFICIENCY)
quarterty to the Privacy Committee
The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarQng privacy issues to the SFGH Quality Council In addition they report any incidents of non-compliance with DPH and SFGH privacy policies which occur during the year at the next scheduled SFGH Quality Council
ResponsiblePerson(s) SFGH Privacy Officer CHNSenior Information Systems Manager
CA DEPT OFFUBUCHEALTH t
~ t~
SEP 14 it i middotmiddot
1
middot-~ LampC DVISON middotmiddotmiddot~it SAN FRANCISCO middot
I (X5
COMPIJ 11
llAII
Ongoing June 2009
Ongoing
Event IDY7 1G11 8242012 113956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE
A ny deficiency sta tement ending with an asterisk (bull) denotes a deficiency which the instituhon may be excused from correchng providing it is de1ermmed
lhat other safeguards provide sufficient protection to the patients Except tor nursing homes the findings above are disclosable 90 days lollowing the date
of survey whether or not a plan of correc110n is provided For nursing homes the above findings and plans or correction are disclosable 14 days follow1n9
the d ate these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requisite to continued program
participation
State-2567 S of S
CALIFORNIA HEALTH AND HUMAN SERVICESmiddot ENCY
DEPARTMENTmiddotOF PUBLIC HEALTH STATEMENT OF DEFICIENCIES (X1) PROVIOER SUPPU ERICLIA (X2) MULTIPLE CONSTRUCTION (X3) OATE SURVEY
AND PLAN OF CORRECTION IDENTIFICATION NUMBER COMPLETED
A BUILDING
050228 B WING 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZJP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
(X4JID SUMMARY STATEMENT OF DAi~ftf(EACH DEFICIENCY MUST ~i i
l ~ (jfU~L
REGULATORY OR LSC IOE~ ING JroRMATION)
middotv 1 ~ 10
Continued From page 1 SEP 14 012 Substantiated
~LampC c 11J~_middotiJfnformed Medical Breach SAN FRANCiSCC
Hlalth and Safety C_ode Section 128015 (b)(2) A clinic health facility agency or hospice shall also report any unlawful or unauthorized access to or use or disclosure of a patients medical information to the affected patient or fhe patients represfntative at the last known address no later than five business days after the unlawful or unauthorized access use or disclosure has middotbeen detected by the clinic health facility agency or hospice
The CDPH verified that the facility informed the affected patient(s) or the patients representative(s) of the unlawful or unauthorized access use or disclosure of the patients medical information
128015(a) Health amp Safety Code 1280
(a) A clinic health facility home health agency or hospice licensed pursuant to Section 1204 1250 1725 or 1745 shall prevent unlawful or unauthorized access to and use or disclosure of patien_ts medical information as defined in subdivision (g) of Section 5605 of the Civil Code and consistent with Section 130203 The department after investigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25000) per patient whose medical information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars
PROVIDERS PLAN OF CORRECTION (X5)
(EACH CORRECTIVE ACTION SHOULD BE CROSSshy COMPlf l F REFERENCED TO rHE APPROPRIATE DEFICIENCY) llA1[
PREFIX _ tJC e d J~]tlTAG
DPH) and of all employees of the University of camomia San Francisco (UCSF) who received care as patients at the hospital (emergency department clinics acute care skilled nursing) to verify if the LCR access was appropriate the total number of audits conducted per month average between 25-30 Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
The SFGH Privacy Officer and the SFGH Privacy Analyst conduct audits of the Ufetime Clinical Record (LCRJ of any patient as requested by managers to verify if the LCR access was appropriate eg media high profile cases VIPs Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
Ongoing
The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarding privacy issues to the SFGH Quality Council In aodition they report any incidents of non-compliance with DPH and SFG_Hprivacy policies which occur during the year at the next scheduled SFGH Quality Council
Responsible Person(s) SFGH Privacy Officer CHN Senior Information Systems Manager
Ongoing
Event 1DY71G11 8242012 113956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE T ITLE (X6) DATE
Any deficiency statement ending with an asterisk (bull) denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing homes the findings above are disclosable 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are d1sclosable 14 days following
the date these documents are made available to the facility If defic1ences are cited an approved plan of correction is requisite to continued program
participation
middot----- ---middot----------- ------ ----- -- middot-middot --middotmiddot-middot-middot-middot 2 015
A
---
CALIFORNIA HEAL TH AND HUMAN SERVICE~ GENCY
DEPARTMENT OF PUBLIC HEAL TH
(X 1) PROVIDERSUPPLIERCUASTATEMENT OF DEFICIENCIES (X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY IDENTIFICATION NUMBER AND PLAN OF CORRECTION COMPLETED
A BUILDING
050228 B MNG 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO G ENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
(X4)1D SUMMARY STATEMENT OF DEFICIENC IES 10
PREFIX (EACH DEFICIENCY MUST BE PRECEEOEO BY FULL PREFIX
TA9 REGULATORY OR LSC IDENTIFYING INFORMATION) TAG
Continued From page 2
($17500) per subsequent occurrence of unlawful or unauthorized access use or disclosure of that patients medical information For purposes of the investigation the department shall consider the clinics health facilitys agencys or hospices history of compliance with this section and other related middotstate and federal statutes and regulations the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring and factors outside its control that restricted the facilitys ability to comply with this section The department shall have full discretion to consider all factors when middot determining the amount of an administrative penalty pursuant to this section
T22 DIV5 CH1 ART7-70751b) Medical Record Availability (b) The medical record including X-ray films is the property of the hospital and is maintained for the benefit of the patient the medical staff and the hospital The hospital shall safeguard the information in the record against loss defacement tampering or use by unauthorized persons
These regulations were not met as evidenced by Based on interview and record review the facility failed to protect the medical records of five patients (Patient 1 2 3 4 amp 5) from loss and use by unauthorized persons when Physician 1 removed copies of part of the records from the facility Physicians 1s briefcase containing the patients medical information was stolen from his car on 12909
PROVIDERS PLAN OF CORRECTION (XS)
(EACH CORRE cnve ACTION SHOULD BE CROSSshy COMP Ello REFERENCED TO THE APPROPRIATE DEFICIENCY) DATE
I
II
T22 DIVS CHl1 ART7-70751 (b) Medical Record Availability 1 b) the medical record including X-ray films is the property of the hospital and is maintained for the benefit of the patient the medical staff and the hospital The hospital shall safeguard the information in the record against loss defacement tampering or use by unauthorized persons
Action(s) The employee involved in this privacy breach had been oriented to their responsibilities to protect the confidentiality of patient protected health information (PHI) and to medical information privacy requirements and was counseled folloMng the self-report of the incident (see Attachment 1)
June 2009
1 Before and after this privacy breach inciden2009 hospital leadership ~as e_nga--g_ed_i_n _
t in Ongoing
SEP 1 4
tampCCMSON SN FP~NCISCO
l _ --___ __ Event ID_Y71G11 8242012 11 3956AM
LABORATORY DIRECTORS OR PROV1DERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE
Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing 11 is deltermined
1hal other safeguards provide sufficienl protection to the patients Except for nursing homes thefindings above are disclosabte 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of coltrection is requi site to continued program
participahon
3 ol ~
(X1) PROVIDERSUPPLIERCLIA (X2) MULTIPLE CONSTRUCTION (X3) DATE SURVFYSTATEMENT OF DEFICIENCIES IDENTIFICATION NUMBER COMPLllFIgtAND PLAN OF CORRECTION
A BUILDING
8 ftING050228 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
CALIFO RNIA HEALTH AND HUMAN SERViCES ENCY
DEPARTMENTOF PUBLIC HEALTH ~
(X4) 10 SUMMARY STATEMENT OF DEFICIENCIES ID
PREFIX (EACH DEFICIENCY MUST BE PRECEEDED BY FULL PREFIX
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG
Continued From page 3
Findings
During an interview on 122209 at 3 10 pm Staff A (director of regulatory affairs) stated Physician 1
took copies of Patient 1 2 3 4 amp Ss initial infectious disease consultation forms home on iagt9 The forms had the patients name medical recofd number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physici~n 1 was Not supposed to take medical records home
Staff A said the facility became aware of the incident on llllllos The Department was notified on ~ 9 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on - 9
A review of the facilitys Health Information Services Confidentiality Security and Release of Protected Health Information policy indicated the following
Purpose The purpose of this policy is to ensure
The confidentiality of protected health information
Procedure
D They (medical records) must not be taken from (name of facility) premises for any reason
PROVIDERS PLAN OF CORRECTION j (XS)
(EACH CORRECTIVE ACTION SHOULD BE CROSSshy COMPLETE IREFERENCED T O THE APPROPRIATE DEFICIENCY) DIITE
i ongoing efforts via memos emails staff 1
trainings and employee annual update training 1 to ensure that hospital staff are educated and
knowledgeable about hospital and SFDPHprivacy and security policies
InitiatedThe SFGH multidsciplinary PrivacyJuly 12Committee composed ofthe SFGH Privacy2011 andOfficer and staff from the SFGH Privacy Office ongoingthe SFGH Chief Medical Officerthe SFGH Chief
Communications Officer representatives from the SFGH Legal Affairs Regulatory Affairs Health Information Systems departments as well as representatives from both the SFGH and UC$F Risk Management and lnfonTiation middot Systems Departments meets monthlyto review discuss and recommend policy involving privacy compliance issues
ManageshyIn follow-up to a review of facility- relatedmentprivacy breach cases reported to CDPHForumconducted by the SFGH Privacy Officer with April 24SFGH managers at the monthly Management2012Forumrn~_eijog including this 2009 inciden~
i the SFGH Chief of Staff and SFGH PrivacyOfficer presented the same review to the Chiefsof SeNice at a Medical Executive Committee (MEC) reminding the chiefs about thehospital MEC and SFDPH privacy and security policies May 14prohibiting the removal of patient protected 2012 infonnation (PHI) including copies of the paper medical record from the hospital as well as the
middot penalties for violating these policies and the penalties for violating provisions of SB541 and AB211 (see Attachments 2) =- pi - E _ JH
I CA DEPdegl OF PtJ8F1LJ n~middot I I middot1~= middot I fr-n 1 A i-n ir -i imiddot
E vent 1DY71G1 1 8242012 11 3956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DAT1M ~ middoti- LP~C OMSiON i~~ middot
SAN FAA~JCISCO Any deficiency statement ending with an asterisk(middot) denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing hones the findings above are disclosable 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are d1sclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requ1S1te to continued program
participation
State-2567 4 of 5
rA Dmicro D~PUBI_H~ H~ALTH~------=-----------------------------~ltLtushy(X2) MULTIPLE CONSTRUCTION ()lt3) DATE SURVEY(X1) PROVIOERSUPPLIERCLIASTATEMENT OF DEFICIENCIES COMPLETFOIDENTIFICATION NUMBERANO PLAN OF CORRECTION
A BUILDING t~middot SEP 1 4 l Omiddot-LC B WlNG t 12232009050228
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP cooe shy l~G ~tviaigra ~ SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 9411~ltfrac14l~ANemC6CO COUNTY
8242012 113956AMEvent IDY71 G11
TITLE (X6) DATELABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE
(X4) ID
PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES
(EACH DEFICIENCY MUST BE PRECEEOEO BY FULL
REGULATORY OR LSC IDENTIFYING INFORMATION)
Continued From page 3
Findings
During an interview on 122209 at 310 pm Staff A (director of regulatory affairs) stated Physician 1 took copies of Patient 1 2 3 4 amp 5s initial infectious disease consultation forms home on IIIIIIIIIJ9 The forms had the patients name medical record number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physician 1 was Not supposed to take medical records home
Staff A said the facility became aware of the incident on 111111111)9middot The Department was notified on - 09 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on 1111109
A review of the facilitys Health middot Information
Services Confidentiality Security and Release of Protected Health Information policy indicated the
following
Purpose The purpose of this policy is to ensure
The confidentiality of protected health information
Procedure
D They (medical records) must not be taken from (name of facility) premises for any reason
PROVIDERS PLAN OF CORRECTION (XS)ID (EACH CORRECTIVE ACTION SHOULD BE CROSS COMPLETEPREFIX IbullREFERENCED TOTHE APPROPRIATE DEFICIENCY) DATETAG
The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct Privacy Roundswithin the hospital departments to educate hospital staff about privacy security and awareness to validate staff knowledge regarding privacy security and awareness as well as to identify issues requiring corrective action by managers Findings are reported to the Privacy Committee (see Attachments 3 4 5)
Monitoring The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct monthly audits of the Ufetime Clinical Record LCR) of all employees of the City ampCounty of San Francisco Department of Public Health (CCSF DPH) and of all employees of the University of California San Francisco (UCSF) who received careas patients at the hospital (emergency department clinics acute care skilled nursing) to verify if the LCR access was appropriate the total number of audits conducted per month average between 25-30 Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
The SFGH Privacy Officer and the SFGH Privacy Analyst conduct audits of the Lifetime Clinical Record (LCR) of any patient as requested by managers to verify if the LCR access was appropriate eg media high profile cases VIPs Questionable audit results are investigated with the manager and employee and action taken as indicated by the
investiaation Audit results are reported
Initiated June 2012 and ongoing
Initiated June 2012 and ongoing
Ongoing
Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing homes the findings above are disclosable 90 days following the date
of survey whether or nota plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction is requisite to continued program
participation
-middot- -- - ----4middot---------middot-middot-middotmiddotmiddot-middotmiddot- -middotmiddotmiddot-middot--middot----middot----middotmiddot------middot State-2567 ot 5
4f
CALIFORNIA HEALTH AND HUMAN SERVICES SENCY
DEPARTMENT OF PU~LIC HEALTH 1
STlTEMENT OF DEFICIENCIES
ANO PLAN OF CORRECTION
(X 1) PROVIDERSUPPLIERCUA (X 2) MULTIPLE CONSTRUCTION
IOENTIFICA TION NUMBER
A BUILDING
050228 B WING
(X3) DATE SURVEY
COMPLETED
12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 941 10-3518 SAN FRANCISCO COUNTY
(X4) 1D PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES I I(EACH DEFICIENCY MUST BE PRECEEDED BY FULL I
REGULATORY OR LSC IDENTIFYING INFORMATION) I
I I
Continued From page 4
Physician 1 failed to follow the facilitys Health Information Seivices Confidentiality Security and Release of Protected Health Information policy when he removed protected health information from the facility The information was later stolen from Physician 1s car
The employees removal of patient records from the hospital and the subsequent theft of those records from the employees home violated Health and Safety Code 128015 making the hospital subject to the applicable civil money penalty assessment
ID PREFIX
TAG
l PROVIDERS PLAN OF CORRECTION
(EACH CORRECTIVE ACTION SHOUU) BE CROSSshyI REFERENCED TO THE APPROPRIATE DEFICIENCY)
quarterty to the Privacy Committee
The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarQng privacy issues to the SFGH Quality Council In addition they report any incidents of non-compliance with DPH and SFGH privacy policies which occur during the year at the next scheduled SFGH Quality Council
ResponsiblePerson(s) SFGH Privacy Officer CHNSenior Information Systems Manager
CA DEPT OFFUBUCHEALTH t
~ t~
SEP 14 it i middotmiddot
1
middot-~ LampC DVISON middotmiddotmiddot~it SAN FRANCISCO middot
I (X5
COMPIJ 11
llAII
Ongoing June 2009
Ongoing
Event IDY7 1G11 8242012 113956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE
A ny deficiency sta tement ending with an asterisk (bull) denotes a deficiency which the instituhon may be excused from correchng providing it is de1ermmed
lhat other safeguards provide sufficient protection to the patients Except tor nursing homes the findings above are disclosable 90 days lollowing the date
of survey whether or not a plan of correc110n is provided For nursing homes the above findings and plans or correction are disclosable 14 days follow1n9
the d ate these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requisite to continued program
participation
State-2567 S of S
CALIFORNIA HEAL TH AND HUMAN SERVICE~ GENCY
DEPARTMENT OF PUBLIC HEAL TH
(X 1) PROVIDERSUPPLIERCUASTATEMENT OF DEFICIENCIES (X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY IDENTIFICATION NUMBER AND PLAN OF CORRECTION COMPLETED
A BUILDING
050228 B MNG 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO G ENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
(X4)1D SUMMARY STATEMENT OF DEFICIENC IES 10
PREFIX (EACH DEFICIENCY MUST BE PRECEEOEO BY FULL PREFIX
TA9 REGULATORY OR LSC IDENTIFYING INFORMATION) TAG
Continued From page 2
($17500) per subsequent occurrence of unlawful or unauthorized access use or disclosure of that patients medical information For purposes of the investigation the department shall consider the clinics health facilitys agencys or hospices history of compliance with this section and other related middotstate and federal statutes and regulations the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring and factors outside its control that restricted the facilitys ability to comply with this section The department shall have full discretion to consider all factors when middot determining the amount of an administrative penalty pursuant to this section
T22 DIV5 CH1 ART7-70751b) Medical Record Availability (b) The medical record including X-ray films is the property of the hospital and is maintained for the benefit of the patient the medical staff and the hospital The hospital shall safeguard the information in the record against loss defacement tampering or use by unauthorized persons
These regulations were not met as evidenced by Based on interview and record review the facility failed to protect the medical records of five patients (Patient 1 2 3 4 amp 5) from loss and use by unauthorized persons when Physician 1 removed copies of part of the records from the facility Physicians 1s briefcase containing the patients medical information was stolen from his car on 12909
PROVIDERS PLAN OF CORRECTION (XS)
(EACH CORRE cnve ACTION SHOULD BE CROSSshy COMP Ello REFERENCED TO THE APPROPRIATE DEFICIENCY) DATE
I
II
T22 DIVS CHl1 ART7-70751 (b) Medical Record Availability 1 b) the medical record including X-ray films is the property of the hospital and is maintained for the benefit of the patient the medical staff and the hospital The hospital shall safeguard the information in the record against loss defacement tampering or use by unauthorized persons
Action(s) The employee involved in this privacy breach had been oriented to their responsibilities to protect the confidentiality of patient protected health information (PHI) and to medical information privacy requirements and was counseled folloMng the self-report of the incident (see Attachment 1)
June 2009
1 Before and after this privacy breach inciden2009 hospital leadership ~as e_nga--g_ed_i_n _
t in Ongoing
SEP 1 4
tampCCMSON SN FP~NCISCO
l _ --___ __ Event ID_Y71G11 8242012 11 3956AM
LABORATORY DIRECTORS OR PROV1DERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE
Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing 11 is deltermined
1hal other safeguards provide sufficienl protection to the patients Except for nursing homes thefindings above are disclosabte 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of coltrection is requi site to continued program
participahon
3 ol ~
(X1) PROVIDERSUPPLIERCLIA (X2) MULTIPLE CONSTRUCTION (X3) DATE SURVFYSTATEMENT OF DEFICIENCIES IDENTIFICATION NUMBER COMPLllFIgtAND PLAN OF CORRECTION
A BUILDING
8 ftING050228 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
CALIFO RNIA HEALTH AND HUMAN SERViCES ENCY
DEPARTMENTOF PUBLIC HEALTH ~
(X4) 10 SUMMARY STATEMENT OF DEFICIENCIES ID
PREFIX (EACH DEFICIENCY MUST BE PRECEEDED BY FULL PREFIX
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG
Continued From page 3
Findings
During an interview on 122209 at 3 10 pm Staff A (director of regulatory affairs) stated Physician 1
took copies of Patient 1 2 3 4 amp Ss initial infectious disease consultation forms home on iagt9 The forms had the patients name medical recofd number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physici~n 1 was Not supposed to take medical records home
Staff A said the facility became aware of the incident on llllllos The Department was notified on ~ 9 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on - 9
A review of the facilitys Health Information Services Confidentiality Security and Release of Protected Health Information policy indicated the following
Purpose The purpose of this policy is to ensure
The confidentiality of protected health information
Procedure
D They (medical records) must not be taken from (name of facility) premises for any reason
PROVIDERS PLAN OF CORRECTION j (XS)
(EACH CORRECTIVE ACTION SHOULD BE CROSSshy COMPLETE IREFERENCED T O THE APPROPRIATE DEFICIENCY) DIITE
i ongoing efforts via memos emails staff 1
trainings and employee annual update training 1 to ensure that hospital staff are educated and
knowledgeable about hospital and SFDPHprivacy and security policies
InitiatedThe SFGH multidsciplinary PrivacyJuly 12Committee composed ofthe SFGH Privacy2011 andOfficer and staff from the SFGH Privacy Office ongoingthe SFGH Chief Medical Officerthe SFGH Chief
Communications Officer representatives from the SFGH Legal Affairs Regulatory Affairs Health Information Systems departments as well as representatives from both the SFGH and UC$F Risk Management and lnfonTiation middot Systems Departments meets monthlyto review discuss and recommend policy involving privacy compliance issues
ManageshyIn follow-up to a review of facility- relatedmentprivacy breach cases reported to CDPHForumconducted by the SFGH Privacy Officer with April 24SFGH managers at the monthly Management2012Forumrn~_eijog including this 2009 inciden~
i the SFGH Chief of Staff and SFGH PrivacyOfficer presented the same review to the Chiefsof SeNice at a Medical Executive Committee (MEC) reminding the chiefs about thehospital MEC and SFDPH privacy and security policies May 14prohibiting the removal of patient protected 2012 infonnation (PHI) including copies of the paper medical record from the hospital as well as the
middot penalties for violating these policies and the penalties for violating provisions of SB541 and AB211 (see Attachments 2) =- pi - E _ JH
I CA DEPdegl OF PtJ8F1LJ n~middot I I middot1~= middot I fr-n 1 A i-n ir -i imiddot
E vent 1DY71G1 1 8242012 11 3956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DAT1M ~ middoti- LP~C OMSiON i~~ middot
SAN FAA~JCISCO Any deficiency statement ending with an asterisk(middot) denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing hones the findings above are disclosable 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are d1sclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requ1S1te to continued program
participation
State-2567 4 of 5
rA Dmicro D~PUBI_H~ H~ALTH~------=-----------------------------~ltLtushy(X2) MULTIPLE CONSTRUCTION ()lt3) DATE SURVEY(X1) PROVIOERSUPPLIERCLIASTATEMENT OF DEFICIENCIES COMPLETFOIDENTIFICATION NUMBERANO PLAN OF CORRECTION
A BUILDING t~middot SEP 1 4 l Omiddot-LC B WlNG t 12232009050228
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP cooe shy l~G ~tviaigra ~ SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 9411~ltfrac14l~ANemC6CO COUNTY
8242012 113956AMEvent IDY71 G11
TITLE (X6) DATELABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE
(X4) ID
PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES
(EACH DEFICIENCY MUST BE PRECEEOEO BY FULL
REGULATORY OR LSC IDENTIFYING INFORMATION)
Continued From page 3
Findings
During an interview on 122209 at 310 pm Staff A (director of regulatory affairs) stated Physician 1 took copies of Patient 1 2 3 4 amp 5s initial infectious disease consultation forms home on IIIIIIIIIJ9 The forms had the patients name medical record number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physician 1 was Not supposed to take medical records home
Staff A said the facility became aware of the incident on 111111111)9middot The Department was notified on - 09 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on 1111109
A review of the facilitys Health middot Information
Services Confidentiality Security and Release of Protected Health Information policy indicated the
following
Purpose The purpose of this policy is to ensure
The confidentiality of protected health information
Procedure
D They (medical records) must not be taken from (name of facility) premises for any reason
PROVIDERS PLAN OF CORRECTION (XS)ID (EACH CORRECTIVE ACTION SHOULD BE CROSS COMPLETEPREFIX IbullREFERENCED TOTHE APPROPRIATE DEFICIENCY) DATETAG
The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct Privacy Roundswithin the hospital departments to educate hospital staff about privacy security and awareness to validate staff knowledge regarding privacy security and awareness as well as to identify issues requiring corrective action by managers Findings are reported to the Privacy Committee (see Attachments 3 4 5)
Monitoring The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct monthly audits of the Ufetime Clinical Record LCR) of all employees of the City ampCounty of San Francisco Department of Public Health (CCSF DPH) and of all employees of the University of California San Francisco (UCSF) who received careas patients at the hospital (emergency department clinics acute care skilled nursing) to verify if the LCR access was appropriate the total number of audits conducted per month average between 25-30 Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
The SFGH Privacy Officer and the SFGH Privacy Analyst conduct audits of the Lifetime Clinical Record (LCR) of any patient as requested by managers to verify if the LCR access was appropriate eg media high profile cases VIPs Questionable audit results are investigated with the manager and employee and action taken as indicated by the
investiaation Audit results are reported
Initiated June 2012 and ongoing
Initiated June 2012 and ongoing
Ongoing
Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing homes the findings above are disclosable 90 days following the date
of survey whether or nota plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction is requisite to continued program
participation
-middot- -- - ----4middot---------middot-middot-middotmiddotmiddot-middotmiddot- -middotmiddotmiddot-middot--middot----middot----middotmiddot------middot State-2567 ot 5
4f
CALIFORNIA HEALTH AND HUMAN SERVICES SENCY
DEPARTMENT OF PU~LIC HEALTH 1
STlTEMENT OF DEFICIENCIES
ANO PLAN OF CORRECTION
(X 1) PROVIDERSUPPLIERCUA (X 2) MULTIPLE CONSTRUCTION
IOENTIFICA TION NUMBER
A BUILDING
050228 B WING
(X3) DATE SURVEY
COMPLETED
12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 941 10-3518 SAN FRANCISCO COUNTY
(X4) 1D PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES I I(EACH DEFICIENCY MUST BE PRECEEDED BY FULL I
REGULATORY OR LSC IDENTIFYING INFORMATION) I
I I
Continued From page 4
Physician 1 failed to follow the facilitys Health Information Seivices Confidentiality Security and Release of Protected Health Information policy when he removed protected health information from the facility The information was later stolen from Physician 1s car
The employees removal of patient records from the hospital and the subsequent theft of those records from the employees home violated Health and Safety Code 128015 making the hospital subject to the applicable civil money penalty assessment
ID PREFIX
TAG
l PROVIDERS PLAN OF CORRECTION
(EACH CORRECTIVE ACTION SHOUU) BE CROSSshyI REFERENCED TO THE APPROPRIATE DEFICIENCY)
quarterty to the Privacy Committee
The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarQng privacy issues to the SFGH Quality Council In addition they report any incidents of non-compliance with DPH and SFGH privacy policies which occur during the year at the next scheduled SFGH Quality Council
ResponsiblePerson(s) SFGH Privacy Officer CHNSenior Information Systems Manager
CA DEPT OFFUBUCHEALTH t
~ t~
SEP 14 it i middotmiddot
1
middot-~ LampC DVISON middotmiddotmiddot~it SAN FRANCISCO middot
I (X5
COMPIJ 11
llAII
Ongoing June 2009
Ongoing
Event IDY7 1G11 8242012 113956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE
A ny deficiency sta tement ending with an asterisk (bull) denotes a deficiency which the instituhon may be excused from correchng providing it is de1ermmed
lhat other safeguards provide sufficient protection to the patients Except tor nursing homes the findings above are disclosable 90 days lollowing the date
of survey whether or not a plan of correc110n is provided For nursing homes the above findings and plans or correction are disclosable 14 days follow1n9
the d ate these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requisite to continued program
participation
State-2567 S of S
(X1) PROVIDERSUPPLIERCLIA (X2) MULTIPLE CONSTRUCTION (X3) DATE SURVFYSTATEMENT OF DEFICIENCIES IDENTIFICATION NUMBER COMPLllFIgtAND PLAN OF CORRECTION
A BUILDING
8 ftING050228 12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 94110-3518 SAN FRANCISCO COUNTY
CALIFO RNIA HEALTH AND HUMAN SERViCES ENCY
DEPARTMENTOF PUBLIC HEALTH ~
(X4) 10 SUMMARY STATEMENT OF DEFICIENCIES ID
PREFIX (EACH DEFICIENCY MUST BE PRECEEDED BY FULL PREFIX
TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG
Continued From page 3
Findings
During an interview on 122209 at 3 10 pm Staff A (director of regulatory affairs) stated Physician 1
took copies of Patient 1 2 3 4 amp Ss initial infectious disease consultation forms home on iagt9 The forms had the patients name medical recofd number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physici~n 1 was Not supposed to take medical records home
Staff A said the facility became aware of the incident on llllllos The Department was notified on ~ 9 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on - 9
A review of the facilitys Health Information Services Confidentiality Security and Release of Protected Health Information policy indicated the following
Purpose The purpose of this policy is to ensure
The confidentiality of protected health information
Procedure
D They (medical records) must not be taken from (name of facility) premises for any reason
PROVIDERS PLAN OF CORRECTION j (XS)
(EACH CORRECTIVE ACTION SHOULD BE CROSSshy COMPLETE IREFERENCED T O THE APPROPRIATE DEFICIENCY) DIITE
i ongoing efforts via memos emails staff 1
trainings and employee annual update training 1 to ensure that hospital staff are educated and
knowledgeable about hospital and SFDPHprivacy and security policies
InitiatedThe SFGH multidsciplinary PrivacyJuly 12Committee composed ofthe SFGH Privacy2011 andOfficer and staff from the SFGH Privacy Office ongoingthe SFGH Chief Medical Officerthe SFGH Chief
Communications Officer representatives from the SFGH Legal Affairs Regulatory Affairs Health Information Systems departments as well as representatives from both the SFGH and UC$F Risk Management and lnfonTiation middot Systems Departments meets monthlyto review discuss and recommend policy involving privacy compliance issues
ManageshyIn follow-up to a review of facility- relatedmentprivacy breach cases reported to CDPHForumconducted by the SFGH Privacy Officer with April 24SFGH managers at the monthly Management2012Forumrn~_eijog including this 2009 inciden~
i the SFGH Chief of Staff and SFGH PrivacyOfficer presented the same review to the Chiefsof SeNice at a Medical Executive Committee (MEC) reminding the chiefs about thehospital MEC and SFDPH privacy and security policies May 14prohibiting the removal of patient protected 2012 infonnation (PHI) including copies of the paper medical record from the hospital as well as the
middot penalties for violating these policies and the penalties for violating provisions of SB541 and AB211 (see Attachments 2) =- pi - E _ JH
I CA DEPdegl OF PtJ8F1LJ n~middot I I middot1~= middot I fr-n 1 A i-n ir -i imiddot
E vent 1DY71G1 1 8242012 11 3956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DAT1M ~ middoti- LP~C OMSiON i~~ middot
SAN FAA~JCISCO Any deficiency statement ending with an asterisk(middot) denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing hones the findings above are disclosable 90 days following the date
of survey whether or not a plan of correction is provided For nursing homes the above findings and plans of correction are d1sclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requ1S1te to continued program
participation
State-2567 4 of 5
rA Dmicro D~PUBI_H~ H~ALTH~------=-----------------------------~ltLtushy(X2) MULTIPLE CONSTRUCTION ()lt3) DATE SURVEY(X1) PROVIOERSUPPLIERCLIASTATEMENT OF DEFICIENCIES COMPLETFOIDENTIFICATION NUMBERANO PLAN OF CORRECTION
A BUILDING t~middot SEP 1 4 l Omiddot-LC B WlNG t 12232009050228
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP cooe shy l~G ~tviaigra ~ SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 9411~ltfrac14l~ANemC6CO COUNTY
8242012 113956AMEvent IDY71 G11
TITLE (X6) DATELABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE
(X4) ID
PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES
(EACH DEFICIENCY MUST BE PRECEEOEO BY FULL
REGULATORY OR LSC IDENTIFYING INFORMATION)
Continued From page 3
Findings
During an interview on 122209 at 310 pm Staff A (director of regulatory affairs) stated Physician 1 took copies of Patient 1 2 3 4 amp 5s initial infectious disease consultation forms home on IIIIIIIIIJ9 The forms had the patients name medical record number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physician 1 was Not supposed to take medical records home
Staff A said the facility became aware of the incident on 111111111)9middot The Department was notified on - 09 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on 1111109
A review of the facilitys Health middot Information
Services Confidentiality Security and Release of Protected Health Information policy indicated the
following
Purpose The purpose of this policy is to ensure
The confidentiality of protected health information
Procedure
D They (medical records) must not be taken from (name of facility) premises for any reason
PROVIDERS PLAN OF CORRECTION (XS)ID (EACH CORRECTIVE ACTION SHOULD BE CROSS COMPLETEPREFIX IbullREFERENCED TOTHE APPROPRIATE DEFICIENCY) DATETAG
The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct Privacy Roundswithin the hospital departments to educate hospital staff about privacy security and awareness to validate staff knowledge regarding privacy security and awareness as well as to identify issues requiring corrective action by managers Findings are reported to the Privacy Committee (see Attachments 3 4 5)
Monitoring The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct monthly audits of the Ufetime Clinical Record LCR) of all employees of the City ampCounty of San Francisco Department of Public Health (CCSF DPH) and of all employees of the University of California San Francisco (UCSF) who received careas patients at the hospital (emergency department clinics acute care skilled nursing) to verify if the LCR access was appropriate the total number of audits conducted per month average between 25-30 Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
The SFGH Privacy Officer and the SFGH Privacy Analyst conduct audits of the Lifetime Clinical Record (LCR) of any patient as requested by managers to verify if the LCR access was appropriate eg media high profile cases VIPs Questionable audit results are investigated with the manager and employee and action taken as indicated by the
investiaation Audit results are reported
Initiated June 2012 and ongoing
Initiated June 2012 and ongoing
Ongoing
Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing homes the findings above are disclosable 90 days following the date
of survey whether or nota plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction is requisite to continued program
participation
-middot- -- - ----4middot---------middot-middot-middotmiddotmiddot-middotmiddot- -middotmiddotmiddot-middot--middot----middot----middotmiddot------middot State-2567 ot 5
4f
CALIFORNIA HEALTH AND HUMAN SERVICES SENCY
DEPARTMENT OF PU~LIC HEALTH 1
STlTEMENT OF DEFICIENCIES
ANO PLAN OF CORRECTION
(X 1) PROVIDERSUPPLIERCUA (X 2) MULTIPLE CONSTRUCTION
IOENTIFICA TION NUMBER
A BUILDING
050228 B WING
(X3) DATE SURVEY
COMPLETED
12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 941 10-3518 SAN FRANCISCO COUNTY
(X4) 1D PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES I I(EACH DEFICIENCY MUST BE PRECEEDED BY FULL I
REGULATORY OR LSC IDENTIFYING INFORMATION) I
I I
Continued From page 4
Physician 1 failed to follow the facilitys Health Information Seivices Confidentiality Security and Release of Protected Health Information policy when he removed protected health information from the facility The information was later stolen from Physician 1s car
The employees removal of patient records from the hospital and the subsequent theft of those records from the employees home violated Health and Safety Code 128015 making the hospital subject to the applicable civil money penalty assessment
ID PREFIX
TAG
l PROVIDERS PLAN OF CORRECTION
(EACH CORRECTIVE ACTION SHOUU) BE CROSSshyI REFERENCED TO THE APPROPRIATE DEFICIENCY)
quarterty to the Privacy Committee
The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarQng privacy issues to the SFGH Quality Council In addition they report any incidents of non-compliance with DPH and SFGH privacy policies which occur during the year at the next scheduled SFGH Quality Council
ResponsiblePerson(s) SFGH Privacy Officer CHNSenior Information Systems Manager
CA DEPT OFFUBUCHEALTH t
~ t~
SEP 14 it i middotmiddot
1
middot-~ LampC DVISON middotmiddotmiddot~it SAN FRANCISCO middot
I (X5
COMPIJ 11
llAII
Ongoing June 2009
Ongoing
Event IDY7 1G11 8242012 113956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE
A ny deficiency sta tement ending with an asterisk (bull) denotes a deficiency which the instituhon may be excused from correchng providing it is de1ermmed
lhat other safeguards provide sufficient protection to the patients Except tor nursing homes the findings above are disclosable 90 days lollowing the date
of survey whether or not a plan of correc110n is provided For nursing homes the above findings and plans or correction are disclosable 14 days follow1n9
the d ate these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requisite to continued program
participation
State-2567 S of S
rA Dmicro D~PUBI_H~ H~ALTH~------=-----------------------------~ltLtushy(X2) MULTIPLE CONSTRUCTION ()lt3) DATE SURVEY(X1) PROVIOERSUPPLIERCLIASTATEMENT OF DEFICIENCIES COMPLETFOIDENTIFICATION NUMBERANO PLAN OF CORRECTION
A BUILDING t~middot SEP 1 4 l Omiddot-LC B WlNG t 12232009050228
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP cooe shy l~G ~tviaigra ~ SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 9411~ltfrac14l~ANemC6CO COUNTY
8242012 113956AMEvent IDY71 G11
TITLE (X6) DATELABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE
(X4) ID
PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES
(EACH DEFICIENCY MUST BE PRECEEOEO BY FULL
REGULATORY OR LSC IDENTIFYING INFORMATION)
Continued From page 3
Findings
During an interview on 122209 at 310 pm Staff A (director of regulatory affairs) stated Physician 1 took copies of Patient 1 2 3 4 amp 5s initial infectious disease consultation forms home on IIIIIIIIIJ9 The forms had the patients name medical record number date of birth a synopsis of the patients condition and notations regarding the consultation Staff A said someone broke into Physician 1s house and stole the briefcase containing the records from his unlocked car in the garage Staff A stated Physician 1 was Not supposed to take medical records home
Staff A said the facility became aware of the incident on 111111111)9middot The Department was notified on - 09 and a letter of notification was mailed to Patient 1 2 3 4 amp 5 on 1111109
A review of the facilitys Health middot Information
Services Confidentiality Security and Release of Protected Health Information policy indicated the
following
Purpose The purpose of this policy is to ensure
The confidentiality of protected health information
Procedure
D They (medical records) must not be taken from (name of facility) premises for any reason
PROVIDERS PLAN OF CORRECTION (XS)ID (EACH CORRECTIVE ACTION SHOULD BE CROSS COMPLETEPREFIX IbullREFERENCED TOTHE APPROPRIATE DEFICIENCY) DATETAG
The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct Privacy Roundswithin the hospital departments to educate hospital staff about privacy security and awareness to validate staff knowledge regarding privacy security and awareness as well as to identify issues requiring corrective action by managers Findings are reported to the Privacy Committee (see Attachments 3 4 5)
Monitoring The SFGH Privacy Officer and the SFGH Privacy Analyst routinely conduct monthly audits of the Ufetime Clinical Record LCR) of all employees of the City ampCounty of San Francisco Department of Public Health (CCSF DPH) and of all employees of the University of California San Francisco (UCSF) who received careas patients at the hospital (emergency department clinics acute care skilled nursing) to verify if the LCR access was appropriate the total number of audits conducted per month average between 25-30 Questionable audit results are investigated with the manager and employee and action taken as indicated by the investigation Audit results are reported quarterly to the Privacy Committee
The SFGH Privacy Officer and the SFGH Privacy Analyst conduct audits of the Lifetime Clinical Record (LCR) of any patient as requested by managers to verify if the LCR access was appropriate eg media high profile cases VIPs Questionable audit results are investigated with the manager and employee and action taken as indicated by the
investiaation Audit results are reported
Initiated June 2012 and ongoing
Initiated June 2012 and ongoing
Ongoing
Any deficiency statement ending with an asterisk () denotes a deficiency which the institution may be excused from correcting providing it is determined
that other safeguards provide sufficient protection to the patients Except for nursing homes the findings above are disclosable 90 days following the date
of survey whether or nota plan of correction is provided For nursing homes the above findings and plans of correction are disclosable 14 days following
the date these documents are made available to the facility If deficiencies are cited an approved plan of correction is requisite to continued program
participation
-middot- -- - ----4middot---------middot-middot-middotmiddotmiddot-middotmiddot- -middotmiddotmiddot-middot--middot----middot----middotmiddot------middot State-2567 ot 5
4f
CALIFORNIA HEALTH AND HUMAN SERVICES SENCY
DEPARTMENT OF PU~LIC HEALTH 1
STlTEMENT OF DEFICIENCIES
ANO PLAN OF CORRECTION
(X 1) PROVIDERSUPPLIERCUA (X 2) MULTIPLE CONSTRUCTION
IOENTIFICA TION NUMBER
A BUILDING
050228 B WING
(X3) DATE SURVEY
COMPLETED
12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 941 10-3518 SAN FRANCISCO COUNTY
(X4) 1D PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES I I(EACH DEFICIENCY MUST BE PRECEEDED BY FULL I
REGULATORY OR LSC IDENTIFYING INFORMATION) I
I I
Continued From page 4
Physician 1 failed to follow the facilitys Health Information Seivices Confidentiality Security and Release of Protected Health Information policy when he removed protected health information from the facility The information was later stolen from Physician 1s car
The employees removal of patient records from the hospital and the subsequent theft of those records from the employees home violated Health and Safety Code 128015 making the hospital subject to the applicable civil money penalty assessment
ID PREFIX
TAG
l PROVIDERS PLAN OF CORRECTION
(EACH CORRECTIVE ACTION SHOUU) BE CROSSshyI REFERENCED TO THE APPROPRIATE DEFICIENCY)
quarterty to the Privacy Committee
The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarQng privacy issues to the SFGH Quality Council In addition they report any incidents of non-compliance with DPH and SFGH privacy policies which occur during the year at the next scheduled SFGH Quality Council
ResponsiblePerson(s) SFGH Privacy Officer CHNSenior Information Systems Manager
CA DEPT OFFUBUCHEALTH t
~ t~
SEP 14 it i middotmiddot
1
middot-~ LampC DVISON middotmiddotmiddot~it SAN FRANCISCO middot
I (X5
COMPIJ 11
llAII
Ongoing June 2009
Ongoing
Event IDY7 1G11 8242012 113956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE
A ny deficiency sta tement ending with an asterisk (bull) denotes a deficiency which the instituhon may be excused from correchng providing it is de1ermmed
lhat other safeguards provide sufficient protection to the patients Except tor nursing homes the findings above are disclosable 90 days lollowing the date
of survey whether or not a plan of correc110n is provided For nursing homes the above findings and plans or correction are disclosable 14 days follow1n9
the d ate these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requisite to continued program
participation
State-2567 S of S
CALIFORNIA HEALTH AND HUMAN SERVICES SENCY
DEPARTMENT OF PU~LIC HEALTH 1
STlTEMENT OF DEFICIENCIES
ANO PLAN OF CORRECTION
(X 1) PROVIDERSUPPLIERCUA (X 2) MULTIPLE CONSTRUCTION
IOENTIFICA TION NUMBER
A BUILDING
050228 B WING
(X3) DATE SURVEY
COMPLETED
12232009
NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE
SAN FRANCISCO GENERAL HOSPITAL 1001 Potrero Ave San Francisco CA 941 10-3518 SAN FRANCISCO COUNTY
(X4) 1D PREFIX
TAG
SUMMARY STATEMENT OF DEFICIENCIES I I(EACH DEFICIENCY MUST BE PRECEEDED BY FULL I
REGULATORY OR LSC IDENTIFYING INFORMATION) I
I I
Continued From page 4
Physician 1 failed to follow the facilitys Health Information Seivices Confidentiality Security and Release of Protected Health Information policy when he removed protected health information from the facility The information was later stolen from Physician 1s car
The employees removal of patient records from the hospital and the subsequent theft of those records from the employees home violated Health and Safety Code 128015 making the hospital subject to the applicable civil money penalty assessment
ID PREFIX
TAG
l PROVIDERS PLAN OF CORRECTION
(EACH CORRECTIVE ACTION SHOUU) BE CROSSshyI REFERENCED TO THE APPROPRIATE DEFICIENCY)
quarterty to the Privacy Committee
The SFGH Privacy Officer and the CHN Senior Information Systems Manager present an annual report regarQng privacy issues to the SFGH Quality Council In addition they report any incidents of non-compliance with DPH and SFGH privacy policies which occur during the year at the next scheduled SFGH Quality Council
ResponsiblePerson(s) SFGH Privacy Officer CHNSenior Information Systems Manager
CA DEPT OFFUBUCHEALTH t
~ t~
SEP 14 it i middotmiddot
1
middot-~ LampC DVISON middotmiddotmiddot~it SAN FRANCISCO middot
I (X5
COMPIJ 11
llAII
Ongoing June 2009
Ongoing
Event IDY7 1G11 8242012 113956AM
LABORATORY DIRECTORS OR PROVIDERSUPPLIER REPRESENTATIVES SIGNATURE TITLE (X6) DATE
A ny deficiency sta tement ending with an asterisk (bull) denotes a deficiency which the instituhon may be excused from correchng providing it is de1ermmed
lhat other safeguards provide sufficient protection to the patients Except tor nursing homes the findings above are disclosable 90 days lollowing the date
of survey whether or not a plan of correc110n is provided For nursing homes the above findings and plans or correction are disclosable 14 days follow1n9
the d ate these documents are made available to the facility If deficiencies are cited an approved plan of correction 1s requisite to continued program
participation
State-2567 S of S