or, t.-. document librar… · and plan of correction . identifigatjonnumber: a.amld1ns: ......

Ill

PRINTED 11182014 FORM APPROVED

Calffomia Deoartment of Publfo Health (X1 PROVIDEVSUPPUERGUA (X2 MULTIPLE CO[(STRUGTlON STATBllIENTOF DERCIENCIES (XS) DATE SURVEY

AND PLAN OF CORRECTION IDENTIFIGATJONNUMBER COMPLETEDAamLD1Ns cA~ 6 rr1 n r nvtA DEPARTMENT cOF PUBLIC HtALTH aw1NG middotCA070001349 10202014

NAME OF PROVIDER OR SUPPLIER STREETADORESSCrrYSTATEZlPGODttB ] l 2015 725 WELCH ROAD

LUCILE SALTER PACKARD CHILDRENS HSP1 PALOALTO CA S43M

Licensing and CertificaUon OMslon LABORATORY DIRECTORS OR PROVDERSUPPLIER REPRESENTAT

STATE FORM

(X4) ID PREFIX

TAG

A 001

A ooo

SUMMARYSTATBlEmOrOEFICIENCIES (EACH OEFtctENCY MUST BS PRECEOEO BV FUU

REGULATORY OR lSG IDENTIFYIN0 INFORMATION)

Informed Medical Breach

Health and Safety Code Section 128015 (b)(2) 0 A olinlc health facility agency or hospice shall also report any unlawM or unauthorized access to or use or discIOsura or a patients medical Information to tha affeetad patfentorttie patients representative atthe last known address no tater than five business days after-the unrawflli or unauthorized access use or disclosure has been detected by the clinic health 1acHity agency or hosplce11

The CDPH verified that the facility Informed the affected patlents or the patients representative(s of the unlawful or unauthorized access use or disclosure of the patienfs medical Information

Initial Comment

Tha following reflects tha findings of the California Department o-i Publfo Health durfng the Investigation of an entity reported incident conducted from 81814 to 102014

For Entity Reportect lnGdentCA00349367 regarding State Monltorl~acy Breach to entitles outside hospital a tata delfGiency was Identified (see California aalth and Safely Code- Sectionmiddot128015(a))

lnspeutlon was limited to1he specific entity reported incident investigated and does not represent tha findings of a full inspection of the hospital

Representing the California Department of Public Health 32398 Health FaciHties Evaluator Nurse

movtDERS p[AlfoFGORRECTIONID ACH GORREOTVEACllON SHOULD BEPREFIX

CROSampflEFERENCED T01HE APPROPRIATETAG DEFICIENCY)

AC01middot Background

Preparation andor execution of this plan of correction does not constitute admission or agreement

bull by the provider of the truth of the

t- facts alleged or conclusions set

forth on the Statement of DefidenCies This plan of

middot correction is prepared andor ~ middot executed solely because it is

required by state law

The hospital did not report to the

California Deprtment of Public AOOO Health (CDPH) that a Breach of

patient health information occurred Rather the hospital in

an abundance of caution notified CDPH within five business days of a possible incident under Health and Safety Code Section 128015 In an abundance of cautiolJ the patient was promptly notified of the incident~ but over a year and a half later the patient has not complained of any harm

(X5) COMPLETE

DATE

California Deoartment of Publlc Health


STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION

(X1) PROVIDERSUPPLIERCUA IDENTIFICATION NUMBER

()(2) MULTIPLE CONSTRUCTION A BUILDING _______ _

(X3 DATE SURVEY GOMPLETED

CA070001349 8WIN~ c

10202014

NAME OF PROVIDER OR SUPPLIER STREETADDRESS CITY STATE ZIP CODE

725 WELCH ROADLUCILE SALTER PACKARD CHILDRENS HSP

PAlOALTO CA 94304

()lt4) ID PREFIX

TAG

Aooo

A017

SUMMARY STATEMENT OF DEFICIEfJCIES EACH DEFICIENCY MUST BE PRECEDED BY FULL

REGULATORY OR LSD IDENTIFYING INFORMATION

Continued From page 1

The hospital detected the Breach of Patients Health Information (PHI) on 32513 The hospital reported the Breach of PHI to the Department on 4113 The hospital notified Patient 1 of the Breach of PHI on 4113

1280middot15(a) Health ampSafetyCode 1280

(a) A clfnlcmiddothealth facility homemiddothealth agency or hospice licensed pursuant to Section 1204 1250 1725 or 1745 shall prevent unlaWful or unauthorized access to and use or disclosure of patients medical Information as defined in subdivision (g) of Section 5605 of the Civil Coda and consistent With Section 130203 The department after investigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($26000) per patient whose medical Information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars ($17500) per subsequent occurrence of unlawful or unauthorized access use or disclosure of that patients medical Information For purposes of the Investigation the department shall consider the clinics health facilitys agencys or hospices history of compliance with this section and other related state and federal statutes and regulations the extentto which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurrfng and factors outside Its control that restricted the facilitys ability to comply with this section The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section

ID PREFIX

TAG

AOOO

A017

PROVIDERS PLAN OF CORRECTION (EACH COtlAEOTIVEACTION SHOULD BE

CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY)

There remains no evidence of

actual inappropriate access to use

or disclosure of the patients health I

information to date The hospitals ~ thorough investigation revealed

that a single email which was

inadvertently misdirected was

recalled expeditiously and then

promptly deleted from the server

at the hospitals direction The

email was sent after normal

business hours for t~ose on the

recipient list significantly

decreasing the likelihood of accessmiddot

The limited claim information middotmostly demographic was

contained in an attachment (not

the email itself) which also

significantly reduced the likelihood

of access especially for a recalled

email The possible recipients

were other health care providers

and vendors who are legally

obligated to protect the

confidentiality of patient

information

(X6 COMPLETE

DATE

Ucenslng and Certification Division STATE FORM QDlltM11 If continuation sheet 2 of 5


California Deoartment of Publlc Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION

(X1) PROVIDERSUPPLIEAJCLIA IDENTIFICATION NUMBER

CA070001349

(X2) MULTIPLE CONSTRUCTION A BUILDING ________

8WING

(X3) DATE SURVEY COMPLETED

c 10202014

NAME OF PROVIDER OR SUPPLIER

LUCILE SALTER PACKARD CHILDijENS HSP bull

STREET ADDRESS CITY STATE ZlP CODE

725 WELCH ROAD PALO ALTO CA 94304

(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE

TAG REGULATORY OR LSO IDENTIFYING INFORMATION) TAG CROSS-REFERENCED TD THE APPROPRIATE DEFICIENCY)

DATE

A017 Continued From page 2

This Statute is not met as evidenced by Based on interview and record review the hospital failed to prevent the unauthorized disclosure of patient health Information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was Inadvertently emailed to a group distribution list The failure resulted in the disclosure of Patient 1 s PHI to unauthorized entitles Findings

The California Department of Public Health received a faxed report on 4113 which Indicated on 32713 a single claim form which contained Patient 1s name address telephone number insurance name and identification number diagnosis code date of birth and provider was inadvertently emailed to a group distribution list

During an Interview on 81814 at 245 pm the compllance and privacy officer CPO) stated a pharmacy senior account representative (SAR) Inadvertently emailed Patient 1s claim form on 32513 to a Llstserve The CPO stated the SAR was having problems filling out the claim form so

A017 The hospital has numerous

safeguards ii place to protect the

confidenti~lity and privacy of all

patient records and

communications Workforce

members are required to adhere to

privacy and security policies

pertaining to the protection of

patient information including

information in electronic form

The hospita ls policies and training

specifically state that Workforce

members sending email

information containing PHI should

take special precautions Policy

and training further states that

Workforce members shall provide

security for information that is

commensurate with its data

i classification level The data

classification level of PHI is

I

i

i

I

I I

I I

I I I

I

I

I

I

II

I I

I I

she had telephoned the vendor of the software program which filfs out claim forms The vendor had asked the SAR to email him the clalm form The SAR Inadvertently emailed the claim form to the vendors Listserve of about 1026 health care facilities The CPO stated the hospitals IT security staff recalled the emailed message right away but the CPO was not sure how many were actually recalled The CPO stated the hospital middotdid not have a copy of the claim form The CPO stated the claim form disclosed Patient 1s name address telephone number insurance name and

Category Confidential Highest

Sensitivity (Confidential Sensitive

Data) Policy and training also

require workforce members to

apply the minimum necessary

standard when using or disclosing

patient information

I

I I I

I

Licensing and Certification Division STATE FORM 6999 QDKM11 If contlnuatton sheet 3 of 5

California Deoartment of Publlc Health STATEMENT OF DEFICIENCIES ANO PLAN OF CORRECTION

(X1) PROVIDERSUPPLIERCUA IDENTIFIOATION NUMBER

(X2) MULTIPLE CONSTRUCTION A BUILDING _______



CA070001349 BWrNG _________ c

10202014

NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODE

725 WELCH ROAO LUCILE SALTER PACKARD CHILDijENS HSP 1

PALO ALTO CA 94304

X4)1D PREFIX

TAG

A017

SUMMARY STATEMENT OF DEFICIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL

REGUIJTORY OR LSC IPENTIFYlNG INFORMATION)


This Statute Is not met as evidenced by Based on interview and record review the hospltal failed to prevent the unauthorized disclosure of patient health Information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was inadvertently emailed to a grcupdistribution list The failure resulted in the disclosure of Patient 1 s PHI to unauthorized entitles Findings

The California Department of Publio Health received a faxed report on 4113 which indicated on 32713 a slngle claim form which contained Patient 1s name address telephone number insurance name and Identification number diagnosis code date of birth and provider was inadvertently emalled to a group distribution llst

During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a pharmacy senior account representative (SAR) inadvertently emailed Patient 1s claim form on 32513 to a Ustserve The CPO stated the SAR was having problems fllllng out the claim form so she had telephoned the vendor of the software program which filrs out claim forms The vendor had asked the SAR to email him the claim form The SAR Inadvertently emailed the claim form to the vendors Listserve of about 1026 health care facilities The CPO stated the hospitals IT security staff recalled the emailed message right away but the CPO was not sure how many were actually recalled The CPO stated the hospital middotdid not have a copy of the claim form The CPO stated the claim form disclosed Patient 1s name address telephone number insurance name and

ID PREFIX

TAG

A017

PROVIDERS PLAN OF CORRECTION (X5 COMPLETE

CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTIVE ACTION SHOULD BE

DATE DElJCJENOY)

Contrary to policies procedures

and training the SAR failed to

protect patient Information in her

possession The SAR did not

adhere to policy and training that I 1require special precautions be

taken when sending email I information containing PHI nor did J

I

SAR adhere to policies and training

that require application of the

minimum necessary standard

While this was an isolated incident the hospital applied its corrective

action policy to prevent

recurrence

Policies

HIPAA Security Electronic Mail

Policy

Ill It is the policy of Lucille

Packard Childrens Hospital at

Stanford to provide electronic mail

to its workforce members to

facilitate communications within

and outside SHC with reasonable

security controls to ensure

confidentiality of ePHI and other

sensitive SHC data

Licensing and Certification Dlvlsfon STATE FORM 6899 If continuation sheet 3-of 5QDKM11


California Denartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEAJCLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER

X2) MULTIPLE CONSTRUCTION A BUILDING ________

X3) DATE SURVEY COMPLETED

CA070001349 B WING G

10202014

NAME OF PROVIDER OR SUPPLIER STREETADDRESS CITY STATE ZIP OODE

725 WELCH ROADLUCILE SALTER PACKARD CHILDijENS HSP 1

PALO ALTO CA 94304

X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BJ COMPLETE

TAG REGULATORY OR LSC IDENTIFYING tNFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)

A017 Continued From page 2 A017 HIPAA Use and Disclosure of

Protected Health Information

This Statute Is not met as evidenced by F When using or disclosing l

Based on interview and record review the PHI or requesting PHI from 1 hospitaIfalled to prevent the unauthorized another covered entity SHCLPCH disclosure of patient health information (PHI) for one of one sampled patient (1) when a pediatric patients (Patient 1) claim form was Inadvertently emailed to a group distribution llst The failure resulted In the disclosure of Patient is PHI to

will make reasonable efforts to

limit PHI to the minimum

necessary to accomplish the

middotI I

unauthorized entrtles Findings intended purpose of the use

The California Department of Publlo Health disclosure or request The

received a faxed report on 4113 which minimum necessary requirement Indicated on 32713 a single claim form which contained Patient 1s name address telephone

does not apply to certain uses or

number insurance name and ldentlficatlon disclosures including those number diagnosis code data of birth and authorized by the individual and provider was inadvertently emalled to a group distribution list those needed by a healthcare

provider for treatment purposes During an interview on 81814 at 245 pm the compliance and privacy officer (GPO) stated a pharmacy senior account representative (SAR)

HIPAA Internal Access to

Inadvertently emaired Patient 1s claim form on Protected Health Information 32513 to a Ustserve The CPO stated the SAR was having problems fllllng out the clalm form so VE1 When a user printsshe had telephoned the vendor of the software program which fills out claim forms The vendor information from a hospital

had asked the SAR to email him the clalm form information system the user Js The SAR Inadvertently emailed the clam form to the vendors Ustserve of about 1026 health care

responsible for handling patient

facilities The CPO stated the hospitals IT information confidentially security staff recalled the emailed message right protecting it from unauthorized awaybull but the CPO was not sure how many were actually recalled The CPO stated the hospital secondary disclosure middotdid not have a copy of the claim form The CPO stated the claim form dlsclosed Patient 1s name address telephone number Insurance name and

Licensing and Certification Division STATE FORM 6B9ll QDKM11 If continuation sheet tJ of5

~tgt



STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION

(X1 PROVIDERSUPPLIEAJCLIA IDENTIFICATION NUMBER



CA070001349 B WING c

10202014


LUCILE SALTER PACKARD CHILDijlNS HSP 725 WELCH ROAD PALO ALTO CA 94304

(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PLAN OF CORRECTION (X5) PREFIX (EACH DEFICIENCY MUST Br PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD Br COMPLETE

TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CROSS-REFERENCED TO THE APPROPRIATE DATE DEFICIENCY)

A017 Continued From page 2 A017 Policy Confidentiality Statement

I Understand that I am

This Statute ls not met as evidenced by responsible for protecting PHI or

Based on interview and reicord review the medical information that is sent by hospital failed to prevent the unauthorized me via facsimile andor disclosure of patient health Information (PHI) for one of one sampled patient (1 ) when a pedlatrlo electronically such as e-mail and I

patienfs (Patient 1) claim form was inadvertently am responsible for following the emailed to a group distribution llst The failure resulted in the disclosure of Patient 1s PHI to

applicable policies with respect to

unauthorized entitles Findings the transmission of PHI or medical

information and that anyThe Californla Department of Publio Health received a faxed report on 4113 which inappropriate disclosure of Indicated on 32713 a single claim form which information may make me subject contained Patient 1s name address telephone number insurance name and Identification to legal andor disciplinary action

number diagnosis code data of birth and Since the patient information was provider was Inadvertently emailed to a group distribution list contained in an attachment to the

email and the email was recalled During an interview on 81814 at 245 pm the compliance and privacy officer (CPO) stated a

quickly on an evening after

pharmacy senior account representative SAR) recipients normal work hours we inadvertently emalled Patient 1 s claim form on are not aware that any of the 32513 to a Ustserve The CPO stated the SAR was having problems filling out the claim form so unintended recipients actually

she had telephoned the vendor of the software program which filfs out claim forms The vendor

accessed the information

had asked the SAR to email him the claim form The SAR Inadvertently emaifed the claim form to

A single patient claim information

the vendors Ustserve of about 1026 health care was inadvertently emailed as an facilities The CPO stated the hospitals IT attachment to the email There security staff recalled the emailed message right awaybull but the CPO was not sure how many were was no patient information in the

actually recalled The CPO stated the hospital body of the email The employee middotdid not have a copy of the claim form The CPO immediately contacted hospitals ITstated the claim form disclosed Patient 1s name address telephone number insurance name and

Licensing and Certification Dfvlslon 88119STATE FORM QDKM11 CALIFORNIA DEPARTMENJt cont1nua11on sheet t of s

OF PUBLIC HEAltH ~c

FEB l 2 2015 Lamp C DIVISION

SAN JOSE


Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PlAN OF CORRECTION

(X1) Pi=OVIDERJSUPPLIERCLIA IDENTIFICATION NUMBER

(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ _ _ _____

CA070001349 BWING c

10202014


LUCILE SALTER PACKARD CHILDRENS HSP

STREET ADDRESS CITY STATE ZIP CODE


(X4) ID SUMMARY STATEMENT OF DEFICIENCIES ID PROVIDERS PlAN OF CORRECTION X5) PREFIX (EACH DEFICIENCY MUST BE PRECEDED BY FULL PREFIX (EACH CORRECTIVE ACTION SHOULD BE COMPLETE

TAG REGULATORY OR LSC IDENTIFYING INFORMATION) TAG CJ30SS-REFERENCED TO THE APPROPRIATE DEFICIENCY)

DATE

A 017 Continued From page 3

Identification number diagnosis code date of birth and provider

During an Interview on 102014 at 9 am SAR stated at about 430 pm she was helping a coworker with a claim form SAR stated she was on the telephone with the vendor of the software program which produces the clafm forms and the vendor had remote access to her computer SAR stated the claim form was not printing correctly so the vendor asked SAR to email the printed claim form to him SAR stated the vendor did not

A 017 Security and followed instructions

to recall the email and in the

interim sent an email instructing

recipients to delete the email The I

latter was sent within 21 minutes and the recall occurred within

approximately 45 minutes

I

I I

The hospital was in the process of I permissibly responding to a I

receive the claim form after she emailed it and they realized the form was inadvertently emailed to the vendors Listserve SAR stated she recalled the email within 30 minutes ofsending the small SAR stated the vendor company was located on the East Coast and was on Eastern Standard Time (EST) which would have been 730 pm end of business day) SAR stated most of the entities on the vendors Llstserve were located on the East Coast and most likely did not open the email SAR stated about 99 of the emails were probably recalled but the _ hospital was not able to locate the actual nliAber~ which were recalled

A review of a copy of a lettiir which the CPO stated was sent on 4113 from the hospital to Patient 1s family member Indicated on 32713 the middothospitals privacy office was made aware on 32513 a claim form with Patient 1s name address and telephone number insurance name and ldentitrcation number diagnosis code date of birth and provider disclosed was Inadvertently emailed to a group distribution list

middotmiddot

vendor under confidentiality

agreement with the hospital for

troubleshooting support when the

email was inadvertently

misdirected to the vendors

listserve According to the

hospitals vendor there were not

1026 health care facilities actively

participating in the listserve during l the period when this occurred

1

twenty months ago Rather the i vendor stated that it had 600

active members generally but did

not have a record that any

accessed the attachment to the

email at issue

Several requests to review a copy of the hospitals policy regarding electronic malling of Patient Health Information was submitted

Licensing and Certification Division STATE FORM QDKM11 CALl~ORNf~~~~Ffl~aet 4ors

OF PUSuc HEAL TH ENT

FEB Jl 2015 Lamp C DIVISION

SANJOSE


California Deoartment of Public Health STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION


CA070001349

(X2 MULTIPLE CONSTRUCTION A BUILDING _________

B WING _________


c 10202014





(X4) ID PREFIX

TAG


REGULATORY OR LSG IDENTIFYING INFORMATION)

ID PREFIX

TAG

PROVIDERS PLAN OF CORRECTION (EACH CORRECTIVE ACTION SHOULD BE


(XS) COMPLETE

DATE


However the hospital did not provide a copy of the pollcy regarding electronic mallng of Patient Health Information

A017 The CPO does not recall being

asked for the claim form The

hospital has the claim form and can

provide upon request Regarding I

the question as to how many I emails were recalled the employee

immediately contacted hospitals IT

Security and received instruction to

recall the email and accomplished

this within 45 minutes which gave

rise to a good faith belief by the

hospital that all or nearly all emails

were recalled

The hospital CPO verbally provided

relevant policy references The

hospital has had longstanding

policy on electronic mailing of PHI

and offers to provide the policy as

support for the previously provided

references

I

I i I

CALIFORNIA DEPARTMENT OF PUBLIC HEALTH

FEB i 22015 Lamp C DIVISION

SAN JOSE

Licensing and Certlffcatlon DMslon STATgFORM 88119 QDKM11 If continuation sheet 5 of 5

II

California Deoartment of Public Health




(X2) MULTIPLE CONSTRUCTION A BUILPING ____~-~

(X3 DATE SURVEY COMPLETED

CA070001349 BWING _________

c 10202014


725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP

PALO ALTO CA 94304

(X4) ID PREFIX

TAG


REGULATOIW OR LSC IDENTIFYING INFORMATION)

ID PREFIX

TAG

A 017 Continued From page 4 A017

However the hospital did not provide a copy of the polcy regarding electronic malllng of Patient Health Information


CROSS-REFERENCED TO THE APPROPRIATE DEFICIENOY

Plan of Correction

For the patient affected by the

incident

The provider notified the patient

who was affected by this incident

The patient was provided with a

contact name and number to call

the provider with any questions i The patient has not contacted the I

hospital or otherwise expressed

any concerns

For other patients having the

potential to be affected by a similar

incident

This was an isolated incident and 1

limited to the one employee who ~ failed to follow policy and double- I check that the appropriate e-mail

address was selected to prevent I the email from going to

unintended recipients The l employee was sanctioned and was ~ re-trained to prevent recurrence of

a similar incident

(X5) COMPlETE

DATE

April 1

2013

Licensing and Certification DMslon STATE FORM QDKMH CAilF~fltAabeP~T~~

O~ PUBLIC HEAt TH middot T

FEB 1l 2015 L amp C DIVISION

SAN JOSE


Californla Deoartment of Publo Heath STATEMENT OF DEFICIENCIES AND PLAN OF CORRECTION

(X1) PROVIDERSUPPUERCLIA IDENTIFICATION NUMBER

CA070001349

(X2) MULTIPLE CONSTRUCTION A BUILDING _________

B WING


c 10202014





(X4) ID PREFIX

TAG


REGULATORY OR LSO IDENTIFYING INFORMATION)

ID PREFIX

TAG


CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY

(X5) COMPLETE

DATE


However the hospital did not provide a copy of the polcy regarding eleotronlc maflfng of Patient Health Information

A017

Immediate measures and enhancements to prevent

recurrence

The hospital continually seeks

opportunities to strengthen its

privacy and information security

programs for the protection of the

medical information of the patients

it serves Immediate measures

were taken as follows

a Within twenty minutes of March 25

sending the original email

attachment the employee sent a

second email to all recipients

directing them to immediately

delete the email and attachment

2013

1 b Within thirty minutes of March 25


FEB r1 2015 L amp C DIVISION

SAN JOSE

sending the original email the

employee worked with IT security

to recall the original email

Recalling the message removes the

message from anyones inbox who

has not already opened the

message The SAR confirmed the

effectiveness of the recall because

2013

Licensing and Certlfcatlon D1vlslori STATE FORM QDKM11 If con11nuatfon sheet 5 of 5

California Deoartment of Publfc Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIEROLIA AND PLAN OF CORRECTION IDENTIFICATION NUMBER

CA070001349

PRINTED 11iB2014 FORM APPROVED

(X2) MULTIPLE CONSTRUCTION (X3) DATE SURVEY COMPLETEDA BUILDING _ ___~---

cB WING ___ ___ ___

10202014



PALO ALTO CA 94304

SUMMARY STATEMENT OF DEFICIENCIES PREFIX (X4) ID

(EACH DEFICIENCY MUST BE PRECEDED BY FULL TAG REGULATORY OR LSC IDENTIFYING INFORMATION)


However the hospital did not provide a copy of the pollcy regarding electronic malllng of Patient Health Information


FEB 1middot22015 L amp C DIVISION

SAN JOSE

Licensfng and Certlffcatfon DMslon

ID PREFIX

TAG

A017

PROVIDERS PLAN OF CORRECTION (XS) COMPLETE

CROSS-REFERENCED TO THE APPROPRIATE (EACH CORRECTNEACTION SHOULD BE

DATE DEFICIENCY)

she in fact received the email

indicating her middot original email had

been recalled The providers

vendor is located on the east coast

and the majority of the vendors I clients are also located on the east

coast The original email with I

attachment was sent well after

normal business hours The

hospital has a good faith belief that

I

all or nearly all of the unintended

recipients would not have had the 1

opportunity to open the email and

open the claim attachment prior to

its recall According to the

hospitals vendor although the

listserve was comprised of 1029

members only 600 of those

members were active listserve

members in general for purposes of reading software updates there

is no evidence that any listserve

member opened this attachment

or viewed limited medical

information

STATE FORM 6899 QDKM11 If continuation sheet 5 ot 5

California Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDERSUPPLIERCUA AND PLAN OF CORRECTION


IDENTIFICATION NUMBER

CA070001349

LUCILE SALTER PACKARD CHILDRENS HSP 1

X4) ID PREFIX

TAO

AD17

(X2 MULTIPLE CONSTRUCTION A BUILDING ________

BWING



SUMMARY STATEMENT OF OEFlCIENCIES (EACH DEFICIENCY MUST BE PRECEDED BY FULL



However the hospital did not provide a copy of the policy regarding electronlc mallfng of Patient Health Information


FEB l 12015 L ampC DIVISION

SAN JOSE

ID PREFIX

TAG

A017

I


X3 DATE SURVEY COMPLETED

c 10202014

PROVIDERS PJJN OF CORRECTION (EAQfi CORRECTIVE ACTION SHOULD BE

CRP93-REFERENCED TO THE APPROPRIATE DEFICIENCY)

c The hospitals vendor

confirmed that the original email

was removed from its server

d Hospital workforce

members are required to complete

mandatory Privacy training i annually pass a competency test

and complete an attestation

statement acknowledging their

responsibility to comply with

Privacy policies and procedures 1

Monitoring performance to ensure corrections are achieved and sustained

i The hospital will continue

evaluative and

preventative efforts on PHI

data transmissions which

will be reported to the

hospital Director of IT

Security for a period of one l

year from the date of

incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4

Licensing and Certification DMslon STATE FORM QDKM11 If con1inuatton sheet 5 ot 5


Californ a Deoartment of Public Health STATEMENT OF DEFICIENCIES (X1) PROVIDER8UPPLIERCLIA (X2) MULTIPLE CONSTRUCTION X3) DATE SURVEY AND lLAN OF CORRECTION bull llJENTIFICATION NUMBER COMPLETEDA BUILDING ____~--

cBWING _________CA070001349 10202014

NAME OF PROVIDER OR SUPPLIER STREET ADDRESS CITY STATE ZIP CODI

725 WELCH ROAD LUCILE SALTER PACKARD CHILDRENS HSP 1

PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX

PROVIDERS PLAN OF COflAECTION (EACH CORRECTIVE ACTION SHOULD BE

TAG REGULATOflY OR LSO IDENTIFYING INFORMATION) TAlt CROSS-REFERENCED TO THE APPROPRIATE DEFICIENCY


However the hospital did not provide a copy of the polfcy regarding electronlo malllng of Patient

A017 ii Hospitals

manager over

function~

pharmacy Health Information claims processing functions

will monitor employee

actions related to emailing

claims information to

Hospitals business

associate vendors for a period of one year from

the date of incident

iii The functional manager

will ensure periodic

reminders of procedures

and policies at staff

meetings for a period middotaf

one year from the date of

incident

iv Hospital will include in its

annual 2015 privacy

CALIFORNIA DEPARTtv ENT awareness campaign

OF PUBLIC HEALTI- specific mention for

FEB 12 2015 employees to doubleshy

check the recipient in the

L ampC DIVISION To line of each email SAN JOSE

(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014

snsJng and Certification DMslon ~TE FORM 61199 QDKM11 If co~llnuatlon sheet 5 ot Ii

PRINTED 11182014

FORM APPROVED Californla Denartment of Public Health STATEMENT OF DEFICIENCIES [X1) PROVIDERSUPPUEFVCLIA (X2) MULTIPLE CONSTRUCTION XS) DATE SURVEY AND PLAN OF CORRECTION bull ltlENTIFICATION NUMBER ABUILDING ____~-~ COMPLETED

CA070Q01349 B WING _________ c

10202014

I NAME OF PROVIDER OR SUPPLIER STREETADDRESS CllY STATE ZIP CODE

LUCILE SALTER PACKARD CHILDRENS HSP 1 725 WELCH ROAD PALO ALTO CA 94304

SUMMARY STATEMENT OF DEFICIENCIES PROVIDERS PLAN OF CORRECTIONX4) ID ID (EACH DEFICIENCY MUST BE PRECEDED BY PULL (EACH CO RREGTIVE AOTION SHOULD BE

TAG PREFIX PREFIXI

REGULATORY OR LBO IPENTIFYINB INFORMATION) CROSS-REFERENCED TO THllAPPROPRIATE DEFICIENCY)

TAG

A017A017 Continued From page 4 v A report of middot monitorin~ However the hospital did not provide a copy of results will be submitted tothe policy regarding electronc malling of Patient

the Privacy

Council Health Information

(XS) COMPlETE

DATE

-

December

2014

CALIFORNIA DEPARTMENT or PUBLIC HEALTH

FEB 122015 Lamp C DIVISION S~JOSE

I censlng and Certification DMslon fATEFORM If contlnuetof sheet 5 of 5 QDKM11





()(2) MULTIPLE CONSTRUCTION A BUILDING _______ _

(X3 DATE SURVEY GOMPLETED

CA070001349 8WIN~ c

10202014

NAME OF PROVIDER OR SUPPLIER STREETADDRESS CITY STATE ZIP CODE

725 WELCH ROADLUCILE SALTER PACKARD CHILDRENS HSP

PAlOALTO CA 94304

()lt4) ID PREFIX

TAG

Aooo

A017

SUMMARY STATEMENT OF DEFICIEfJCIES EACH DEFICIENCY MUST BE PRECEDED BY FULL

REGULATORY OR LSD IDENTIFYING INFORMATION


The hospital detected the Breach of Patients Health Information (PHI) on 32513 The hospital reported the Breach of PHI to the Department on 4113 The hospital notified Patient 1 of the Breach of PHI on 4113

1280middot15(a) Health ampSafetyCode 1280

(a) A clfnlcmiddothealth facility homemiddothealth agency or hospice licensed pursuant to Section 1204 1250 1725 or 1745 shall prevent unlaWful or unauthorized access to and use or disclosure of patients medical Information as defined in subdivision (g) of Section 5605 of the Civil Coda and consistent With Section 130203 The department after investigation may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($26000) per patient whose medical Information was unlawfully or without authorization accessed used or disclosed and up to seventeen thousand five hundred dollars ($17500) per subsequent occurrence of unlawful or unauthorized access use or disclosure of that patients medical Information For purposes of the Investigation the department shall consider the clinics health facilitys agencys or hospices history of compliance with this section and other related state and federal statutes and regulations the extentto which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurrfng and factors outside Its control that restricted the facilitys ability to comply with this section The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section

ID PREFIX

TAG

AOOO

A017

PROVIDERS PLAN OF CORRECTION (EACH COtlAEOTIVEACTION SHOULD BE


There remains no evidence of

actual inappropriate access to use

or disclosure of the patients health I

information to date The hospitals ~ thorough investigation revealed

that a single email which was

inadvertently misdirected was

recalled expeditiously and then

promptly deleted from the server

at the hospitals direction The

email was sent after normal

business hours for t~ose on the

recipient list significantly

decreasing the likelihood of accessmiddot

The limited claim information middotmostly demographic was

contained in an attachment (not

the email itself) which also

significantly reduced the likelihood

of access especially for a recalled

email The possible recipients

were other health care providers

and vendors who are legally

obligated to protect the

confidentiality of patient

information

(X6 COMPLETE

DATE

Ucenslng and Certification Division STATE FORM QDlltM11 If continuation sheet 2 of 5




CA070001349


8WING


c 10202014







DATE








patient records and


















I

i

i

I

I I

I I

I I I

I

I

I

I

II

I I

I I








patient information

I

I I I

I







CA070001349 BWrNG _________ c

10202014



PALO ALTO CA 94304

X4)1D PREFIX

TAG

A017







ID PREFIX

TAG

A017



DATE DElJCJENOY)







I






recurrence

Policies


Policy









sensitive SHC data







10202014



PALO ALTO CA 94304










middotI I













~tgt








10202014
























OF PUBLIC HEAltH ~c


SAN JOSE





CA070001349 BWING c

10202014







DATE










I

I I




middotmiddot










1





email at issue





SANJOSE




CA070001349


B WING _________


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(XS) COMPLETE

DATE














were recalled







references

I

I i I



SAN JOSE


II







CA070001349 BWING _________

c 10202014



PALO ALTO CA 94304

(X4) ID PREFIX

TAG



ID PREFIX

TAG





Plan of Correction


incident







any concerns



incident





a similar incident

(X5) COMPlETE

DATE

April 1

2013




SAN JOSE




CA070001349


B WING


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(X5) COMPLETE

DATE



A017


recurrence














2013




SAN JOSE









2013



CA070001349



cB WING ___ ___ ___

10202014



PALO ALTO CA 94304







SAN JOSE


ID PREFIX

TAG

A017



DATE DEFICIENCY)










I














information





CA070001349


X4) ID PREFIX

TAO

AD17


BWING









SAN JOSE

ID PREFIX

TAG

A017

I



c 10202014















evaluative and







incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4




cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014







CA070001349


8WING


c 10202014







DATE








patient records and


















I

i

i

I

I I

I I

I I I

I

I

I

I

II

I I

I I








patient information

I

I I I

I







CA070001349 BWrNG _________ c

10202014



PALO ALTO CA 94304

X4)1D PREFIX

TAG

A017







ID PREFIX

TAG

A017



DATE DElJCJENOY)







I






recurrence

Policies


Policy









sensitive SHC data







10202014



PALO ALTO CA 94304










middotI I













~tgt








10202014
























OF PUBLIC HEAltH ~c


SAN JOSE





CA070001349 BWING c

10202014







DATE










I

I I




middotmiddot










1





email at issue





SANJOSE




CA070001349


B WING _________


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(XS) COMPLETE

DATE














were recalled







references

I

I i I



SAN JOSE


II







CA070001349 BWING _________

c 10202014



PALO ALTO CA 94304

(X4) ID PREFIX

TAG



ID PREFIX

TAG





Plan of Correction


incident







any concerns



incident





a similar incident

(X5) COMPlETE

DATE

April 1

2013




SAN JOSE




CA070001349


B WING


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(X5) COMPLETE

DATE



A017


recurrence














2013




SAN JOSE









2013



CA070001349



cB WING ___ ___ ___

10202014



PALO ALTO CA 94304







SAN JOSE


ID PREFIX

TAG

A017



DATE DEFICIENCY)










I














information





CA070001349


X4) ID PREFIX

TAO

AD17


BWING









SAN JOSE

ID PREFIX

TAG

A017

I



c 10202014















evaluative and







incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4




cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014









CA070001349 BWrNG _________ c

10202014



PALO ALTO CA 94304

X4)1D PREFIX

TAG

A017







ID PREFIX

TAG

A017



DATE DElJCJENOY)







I






recurrence

Policies


Policy









sensitive SHC data







10202014



PALO ALTO CA 94304










middotI I













~tgt








10202014
























OF PUBLIC HEAltH ~c


SAN JOSE





CA070001349 BWING c

10202014







DATE










I

I I




middotmiddot










1





email at issue





SANJOSE




CA070001349


B WING _________


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(XS) COMPLETE

DATE














were recalled







references

I

I i I



SAN JOSE


II







CA070001349 BWING _________

c 10202014



PALO ALTO CA 94304

(X4) ID PREFIX

TAG



ID PREFIX

TAG





Plan of Correction


incident







any concerns



incident





a similar incident

(X5) COMPlETE

DATE

April 1

2013




SAN JOSE




CA070001349


B WING


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(X5) COMPLETE

DATE



A017


recurrence














2013




SAN JOSE









2013



CA070001349



cB WING ___ ___ ___

10202014



PALO ALTO CA 94304







SAN JOSE


ID PREFIX

TAG

A017



DATE DEFICIENCY)










I














information





CA070001349


X4) ID PREFIX

TAO

AD17


BWING









SAN JOSE

ID PREFIX

TAG

A017

I



c 10202014















evaluative and







incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4




cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014









10202014



PALO ALTO CA 94304










middotI I













~tgt








10202014
























OF PUBLIC HEAltH ~c


SAN JOSE





CA070001349 BWING c

10202014







DATE










I

I I




middotmiddot










1





email at issue





SANJOSE




CA070001349


B WING _________


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(XS) COMPLETE

DATE














were recalled







references

I

I i I



SAN JOSE


II







CA070001349 BWING _________

c 10202014



PALO ALTO CA 94304

(X4) ID PREFIX

TAG



ID PREFIX

TAG





Plan of Correction


incident







any concerns



incident





a similar incident

(X5) COMPlETE

DATE

April 1

2013




SAN JOSE




CA070001349


B WING


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(X5) COMPLETE

DATE



A017


recurrence














2013




SAN JOSE









2013



CA070001349



cB WING ___ ___ ___

10202014



PALO ALTO CA 94304







SAN JOSE


ID PREFIX

TAG

A017



DATE DEFICIENCY)










I














information





CA070001349


X4) ID PREFIX

TAO

AD17


BWING









SAN JOSE

ID PREFIX

TAG

A017

I



c 10202014















evaluative and







incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4




cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014











10202014
























OF PUBLIC HEAltH ~c


SAN JOSE





CA070001349 BWING c

10202014







DATE










I

I I




middotmiddot










1





email at issue





SANJOSE




CA070001349


B WING _________


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(XS) COMPLETE

DATE














were recalled







references

I

I i I



SAN JOSE


II







CA070001349 BWING _________

c 10202014



PALO ALTO CA 94304

(X4) ID PREFIX

TAG



ID PREFIX

TAG





Plan of Correction


incident







any concerns



incident





a similar incident

(X5) COMPlETE

DATE

April 1

2013




SAN JOSE




CA070001349


B WING


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(X5) COMPLETE

DATE



A017


recurrence














2013




SAN JOSE









2013



CA070001349



cB WING ___ ___ ___

10202014



PALO ALTO CA 94304







SAN JOSE


ID PREFIX

TAG

A017



DATE DEFICIENCY)










I














information





CA070001349


X4) ID PREFIX

TAO

AD17


BWING









SAN JOSE

ID PREFIX

TAG

A017

I



c 10202014















evaluative and







incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4




cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014








CA070001349 BWING c

10202014







DATE










I

I I




middotmiddot










1





email at issue





SANJOSE




CA070001349


B WING _________


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(XS) COMPLETE

DATE














were recalled







references

I

I i I



SAN JOSE


II







CA070001349 BWING _________

c 10202014



PALO ALTO CA 94304

(X4) ID PREFIX

TAG



ID PREFIX

TAG





Plan of Correction


incident







any concerns



incident





a similar incident

(X5) COMPlETE

DATE

April 1

2013




SAN JOSE




CA070001349


B WING


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(X5) COMPLETE

DATE



A017


recurrence














2013




SAN JOSE









2013



CA070001349



cB WING ___ ___ ___

10202014



PALO ALTO CA 94304







SAN JOSE


ID PREFIX

TAG

A017



DATE DEFICIENCY)










I














information





CA070001349


X4) ID PREFIX

TAO

AD17


BWING









SAN JOSE

ID PREFIX

TAG

A017

I



c 10202014















evaluative and







incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4




cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014







CA070001349


B WING _________


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(XS) COMPLETE

DATE














were recalled







references

I

I i I



SAN JOSE


II







CA070001349 BWING _________

c 10202014



PALO ALTO CA 94304

(X4) ID PREFIX

TAG



ID PREFIX

TAG





Plan of Correction


incident







any concerns



incident





a similar incident

(X5) COMPlETE

DATE

April 1

2013




SAN JOSE




CA070001349


B WING


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(X5) COMPLETE

DATE



A017


recurrence














2013




SAN JOSE









2013



CA070001349



cB WING ___ ___ ___

10202014



PALO ALTO CA 94304







SAN JOSE


ID PREFIX

TAG

A017



DATE DEFICIENCY)










I














information





CA070001349


X4) ID PREFIX

TAO

AD17


BWING









SAN JOSE

ID PREFIX

TAG

A017

I



c 10202014















evaluative and







incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4




cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014










CA070001349 BWING _________

c 10202014



PALO ALTO CA 94304

(X4) ID PREFIX

TAG



ID PREFIX

TAG





Plan of Correction


incident







any concerns



incident





a similar incident

(X5) COMPlETE

DATE

April 1

2013




SAN JOSE




CA070001349


B WING


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(X5) COMPLETE

DATE



A017


recurrence














2013




SAN JOSE









2013



CA070001349



cB WING ___ ___ ___

10202014



PALO ALTO CA 94304







SAN JOSE


ID PREFIX

TAG

A017



DATE DEFICIENCY)










I














information





CA070001349


X4) ID PREFIX

TAO

AD17


BWING









SAN JOSE

ID PREFIX

TAG

A017

I



c 10202014















evaluative and







incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4




cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014







CA070001349


B WING


c 10202014





(X4) ID PREFIX

TAG



ID PREFIX

TAG



(X5) COMPLETE

DATE



A017


recurrence














2013




SAN JOSE









2013



CA070001349



cB WING ___ ___ ___

10202014



PALO ALTO CA 94304







SAN JOSE


ID PREFIX

TAG

A017



DATE DEFICIENCY)










I














information





CA070001349


X4) ID PREFIX

TAO

AD17


BWING









SAN JOSE

ID PREFIX

TAG

A017

I



c 10202014















evaluative and







incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4




cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014





CA070001349



cB WING ___ ___ ___

10202014



PALO ALTO CA 94304







SAN JOSE


ID PREFIX

TAG

A017



DATE DEFICIENCY)










I














information





CA070001349


X4) ID PREFIX

TAO

AD17


BWING









SAN JOSE

ID PREFIX

TAG

A017

I



c 10202014















evaluative and







incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4




cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014







CA070001349


X4) ID PREFIX

TAO

AD17


BWING









SAN JOSE

ID PREFIX

TAG

A017

I



c 10202014















evaluative and







incident

(X5) COMPlETE

DATE

April 1

2013

Ongoing

Mar~h 27 20l4




cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014






cBWING _________CA070001349 10202014



PALO ALTO CA 94304

X4) ID PREFIX


IP PREFIX





A017 ii Hospitals

manager over

function~





Hospitals business









incident


annual 2015 privacy






(X5) COMPlETE

DATE middotmiddot

~ ~middot middot

March 27

2014

March 27

2014

December

2014


PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014




PRINTED 11182014


CA070Q01349 B WING _________ c

10202014




TAG PREFIX PREFIXI


TAG


the Privacy


(XS) COMPlETE

DATE

-

December

2014




or, t.-. document librar… · and plan of correction . identifigatjonnumber: a.amld1ns: ......

Documents