Potential privacy breaches need to be reported to the Office of Healthcare Compliance and Privacy as soon as they are discovered, even if the person who discovered the incident was not involved. Under California law, UCSF has 15 days to report privacy breaches to the California Department of Public Health and notify affected patients. Early notification to our office is required to give us sufficient time to investigate the incident and prepare any necessary notifications. Late reporting can result in significant penalties for the University. For more information, please refer to UCSF's Privacy Investigation Policy.
How to Report
If personally identifiable information is involved, please complete an Incident Report through RL Solutions using the Confidentiality/Healthcare Information category (Medical Center Employees) or contact the Office of Healthcare Compliance and Privacy as soon as possible.
If the incident involves a stolen or lost mobile device, such as a laptop, containing patient information you must also report the event to IT Security. If the stolen device was issued by the University, you must immediately contact UCSF Campus Police (415-476-1414) to report the theft.
Reporting Information
When reporting a potential privacy incident, please try to include the following information:
- Date and time the incident was discovered
- Name and contact information of the person who discovered the potential breach
- The specific information disclosed
- The number of individuals who had their information disclosed
- How the incident happened
- Actions taken following detection
- The department contact for follow-up
You will not be retaliated against for reporting a potential privacy breach in good faith.