Reporting a Privacy Incident

Per UC Davis Health Policy & Procedure (P&P) 1302, Protected Health Information (PHI)/Personal Information (PI) Breach Notification, all employees are required to report any known or suspected privacy breaches to the Compliance Department upon discovery.

You must report a privacy incident by notifying your supervisor and any one of the following ways:

If you would like to anonymously report concerns regarding specific activities or practices you believe are privacy violations, you may call the UC Ethics Point Hotline at (877) 384-4272. If submitting a complaint this way, please provide as much detailed information as possible so we can adequately and appropriately investigate your concerns. This method of reporting should not be used to report incidents such as misdirected faxes or documents distributed to the wrong patient.

Privacy incidents should be reported to the Compliance Department as soon as they are discovered, even if you are unable to immediately obtain and relay all the facts. The Compliance Department is responsible for investigating each privacy incident, determining whether a privacy violation has occurred, and reporting the breach if required, pursuant to state or federal law. The Compliance Department must be notified of privacy incidents as soon as they are discovered to avoid delays in mandatory reporting, which may subject you and UC Davis Health to fines and penalties.

When reporting a privacy incident, be prepared to provide the following information:

  • The date the incident occurred
  • The date the incident was discovered
  • How the incident occurred
  • How the incident was discovered
  • The name(s) of the patient(s) whose information was disclosed
  • The name(s) of the recipient(s) of the disclosed information
  • The specific information disclosed (if possible and applicable, please provide a copy of the
    document)
  • Actions taken to mitigate harm
  • The name(s) of the individual(s) responsible for the disclosure
  • The department contact for follow-up questions

If the incident involves a stolen or lost device containing patient information, such as a laptop, you must also report the matter to the Information Technology (IT) Department by calling 916-734-4357. If the device was stolen, you must report the incident to UC Davis Health Campus Police by calling 916-734-2555.

For additional information regarding reporting privacy incidents, see P&P 1302, Protected Health Information (PHI)/Personal Information (PI) Breach Notification and P&P 2446, Tracking Disclosures of Protected Health Information (PHI).

Patient Information: This is the patient whose information was disclosed. The patient’s name and date of birth will auto-populate when the medical record number is entered.

Disclosure Date: This should be the date the disclosure occurred, not the date we learned of the incident. However, if the disclosure date is unknown you may use the date the incident was discovered or reported.

Recipient Information: This is the person (or business) who received the information. You may need to look up this recipient's information to add the address information. If the recipient cannot be identified, enter "unknown".

Form Name or Description of Information Disclosed: This is a description of the type of information that was disclosed (e.g., patient name, medical record number, date of birth, diagnosis, lab test results, etc.). A summary of the incident resulting in the disclosure should not be included.

Disclosing Person's Information: This should be the person responsible for the disclosure, not the individual entering the data, unless they are the same person. Although this information will not be provided to the patient if he/she requests an accounting of disclosures, it is used for internal purposes. If the person responsible for the disclosure cannot be identified, you may enter your supervisor’s name and phone number.

Purpose of Disclosure: Choose the most appropriate reason for the disclosure. In certain circumstances, we are legally required to report patient information to different agencies. However, for a disclosure that was not required by law, choose "Not Permitted by HIPAA." When this option is selected, the Compliance Department is immediately notified of the disclosure.