n?l?r
c1 cg.

it?



OFFICE OF THE SECRETARY
Of?ce for Civil Rights, Region 1X
90 Street, Suite 4.100

San Francisco, California 94103

DEPARTMENT OF HEALTH 8: HUMAN SERVICES
Voice - (415) 43T-3310. (soc) ass?101s
TDD {415) 437-3311. (soc) sat-res?

(FAX) - {415) 43re329
Woman

May 2011


 

 

 

 

Our Reference number: 1 1-124255

Dear 

On February 22, 2011, the U.S. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR) received your complaint aileging a violation of the Federal Standards for
Privacy of Individualiy Identi?able Health Information andfor the Security Standards for the
Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A,
C, and E, the Privacy and Security Rules). Speci?cally, the complaint alleges that Veterans
Health Administration (the covered entity) does not adequately safeguard patients? health
information by allowing such information to be overheard by others. More speci?cally, you
allege that can overhear other patients? protected health information in the medical-
surgical ward when the medical team conducts its rounds discussing each patient?s case.

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which
prohibit discrimination in the delivery of health and human services because of race, color,
national origin, disability, age, and under certain circumstances, sex and religion.

The Privacy Rule requires covered entities to apply reasonable safeguards when making
permissible disclosures of patient protected health information, and to have in place appropriate
administrative, technical and physical safeguards to protect the privacy of patient protected
health information. This standard requires that covered entities make reasonable efforts to
prevent uses and disclosures not permitted by the Privacy Rule. 45 C.F.R. The
Privacy Rule however, does not provide speci?c rules on how a covered entity safeguards
protected health information. Additionally, the Privacy Rule recognizes that oral
communications often must occur freely and quickly in treatment settings. Thus, covered entities
are free to engage in communications as required for quick, effective, and high quality health
care. Overheard communications in these settings may be unavoidable and the Privacy Rule
allows for these incidental disclosures.

Based upon our review of your correspondence, OCR has advised the covered entity of the
concerns described in your complaint. The facility has been provided with technical assistance
on appropriate safeguards and prevention of impermissible disclosures of patient protected health
information under the Privacy Rule. Your name was not disclosed to the covered entity during
this process since we did not have your permission to release that information. If in the ?lture,

11-124255
Page 2

the covered entity fails or refuses to take steps to address this concern based upon the technical
assistance provided by OCR, we may need to contact you in connection with a formal
investigation. It has been our eXperience, however, that health care providers are generally
responsive to privacy concerns raised in this context.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identifies individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions or require technical assistance, please contact the of?ce at (415) 43 7-

8310.

Sincerely, -


92.40%?  kn? 9-)

Michael F. Kruley

Regional Manager

 

v3, 

as,
DEPARTMENT OF HEALTH 3: HUMAN SERVICES OFFICE OE THE SECRETARIL
Voice - {415} 43?-3310, (300} 363-1019 Of?ce for Civil Rights, Region 
TDD - {415) 53?-?69? 90 7th Street, Suite 4-100
(FAX) -{415} 437-3329 San Francisco, California 94103
mam 



if
E:

a:

eh,

 

May 31, 2011

Andrea Wilson

VHA Privacy Implementation Coordinator
VHA Privacy Of?ce (19F2)

OI Central Of?ce

810 Vermont Avenue, NW

Washington, DC 20420

Our Reference number: 1 1-124255

Dear Ms. Wilson:

On February 22, 2011, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for
Privacy of Individually Identi?able Health Information andfor the Security Standards for the
Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A,
C, and E, the Privacy and Security Rules). Speci?cally, the complaint alleges that Veterans
Health Administration, Sierra-Nevada Health Care System in Reno, NV does not adequately
safeguard patients? health information by allowing such information to be overheard by others.
More speci?cally, the complaint alleges that can overhear other patients? protected
health information in the medical-surgical ward when the medical team conducts its rounds
discussing each patient?s case.

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which
prohibit discrimination in the delivery of health and human services because of race, color,
national origin, disability, age, and under certain circumstances, sex and religion.

The Privacy Rule recognizes that health care providers must be able to communicate quickly and
effectively to ensure appropriate treatment. Thus covered entities are ?ee to engage in
communications as required for quick, effective, and high quality health care. Overheard
communications in these settings may be unavoidable and the Privacy Rule allows for these
incidental disclosures. Covered entities such as hospitals or doctors? offices are, however,
required to have in place appropriate administrative, technical and physical safeguards to protect
the privacy of patient protected health information. 45 C.F.R In' addition, covered
entities must reasonably restrict how much health information is used or disclosed, and disclose
only the minimal necessary to achieve the purpose of the disclosure. 45 CPR. 
Covered entities must also limit who within the entity has access to protected health information.
45 CPR. 

The Privacy Rule does not provide speci?c rules on how a covered entity safeguards protected

 

1-124255
Page 2

health information, as you and your staff are in the best position to identify and tailor safeguards
that are appropriate to the circumstances. Covered entities are not required to create private
rooms, soundproof rooms or telephone systems. Rather, covered entities are expected to
implement reasonable safeguards. Possible safeguards may include, limiting conversations with
patients in public areas such as waiting rooms, moving a patient ??om a public area to a more
private area before engaging in a discussion involving patient protected health information,
andfor lowering voices when communicating in an area where conversations can be overheard.
These examples of possible safeguards are not intended to be exhaustive. For additional
examples and general information about Privacy Rule safeguards please visit the Frequently
Asked Questions page of our website, 

It is not our'intention to undertake a formal investigation of this matter at this time. We ask
however that your Privacy Of?cer examine this issue to ensure that the facility is fully
complying with its internal privacy policies and practices, and, if necessary, to take corrective
action to reinforce your practices as they relate to this incident.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by iaw, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions or require technical assistance, please contact the of?ce at (415) 43 7-

8310.

Sincerely,

Let in. lad/?7 

Michael F. Kruley
Regional Manager