?r I. digit-L ?Ices all 9? DEPARTMENT OF HEALTH 3: SERVICES OFFICE OF THE SECRETARY Voice - (212) 264?3313, (soc) 353-1 01 9 Of?ce for Civil Rights, Region II TDD - (212) 264?2355 Jacob Javits Federal Building - {212) 264-3039 26 Federal Plan, Suite 3312 govi?ocri New York, NY l?Z?i?S I .{biti?iiCi Privacy Of?cer William Beaumont Hospital 3601 W. Thirteen Mile Road Royal Oak, MI 43073-6?69 AUG 2 6 2313 OCR Transaction Number: 11-129431 Dear {tit?iibttiitci On June 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), received a complaint alleging that William Bumont Hospitai, (the covered entity), has violated the Federal Standards for Privacy of Individually Identifiable Health Information andior the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally. the complainant, alleges that sometime betwee February 2011 and April 2011, and members of the covered entity's staff, disclosed the complainant?s health information toa tonner co-worker. This allegation could reflect a violation of 45 C.F.R. 154.502ta), respectively. OCR enforces the Privacy, Security, and Breach Notification Rules, and also Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. Pursuant to the Privacy Rule, a covered entity may not use or disciose protected health information (PHI) except as permitted or required by the Privacy Rule. The minimum necessary provision of the Privacy Rule also requires the covered entity to limit access to protected health information by identifying the persons or ciasses of persons within the covered entity who need access to the information to carry out their job duties. the categories or types of protected health information needed, and conditions appropriate to such access. See 45 C.F.R. 164.502 and OCR has determined that the following corrective actions are needed to bring William Beaumont Hospital into compliance with the Privacy Rule: 1. Conduct an internal investigation of the allegation. {bltEil Page 2 Privacy Of?cer Based on the ?ndings of the internal investigation take the following actions: a. Review and update if needed, the covered entity?s HIPAA policy and procedure with respect to the minimum necessary, uses and disclosures and safeguards of PHI. b. Retrain staff that disclosed the complainant's PHI regarding the covered entity?s HIPAA policy and procedures related to the minimum necessary, uses and disclosures and safeguards of PHI. c. Determine whether sanctioning staff is appropriate. 2. As required by the Breach Noti?cation Rule conduct a risk assessment to determine whether the incident constitutes a breach. If so, notify the complainant. Report the breach incident to HHS using the online breach reporting tool found at Additionally, document the impermissible disclosure in the complainant?s medical record for accounting of disclosure purposes. Please note that, after a period of six months has passed, OCR may initiate and conduct a compliance review of William Beaumont Hospital, related to your compliance with the Privacy Rule. Based on the foregoing, OCR is closing this case without further action, e?eaive the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of infom?iation Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Cheylisia Edwards. Investigator, at (212) 264-4148 {Voice}, or (212) 264-2355 (T DD). Sincerely, 675%!" Li da C. Colbn egional Manager gums, big.- LI. of?! m?e 1?93. ?Wild /6 scram OF SERVICES OFFICE OFTHESECRETARY Wicc- - (212) 2343313, (soc) 353.1019 Of?ce for Civil Rights, Region TDD- (212) 264-2355 Jacob Javits Federal Building (Fm - (212} 264-3039 26 Federal Plaza, Suite 3312 when" New York, NY 10273 AUG 2 6 2?13 Our Transaction number: 11-129431 On June 27. 2011, the US. Department of Health and Human Services (HHS). Of?ce for Civil Rights (OCR), received your complaint alleging that William Beaumont Hospital, (the covered entity), has violated the Federal Standards for Privacy of individually identi?able Health information Security Standards for the Protection of Electronic Protected Health information (45 Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, you allege that sometime between February 2011 and Apr? 2011lltbitoltbif7if3l members of the covered entity?s staff, disclosed your health information to a former co-wcrker. This allegation. could reflect a violation of 45 C.F.R. and 164.530, respectively. Thank you for bringing this matter to OCR's attention. Your complaint is an integral part of enforcement efforts. . OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. Pursuant to the Privacy Rule. a covered entity may not use or disclose protected health information (PHI) except as permitted or required by the Privacy Rule. The minimum necessary provision of the Privacy Rule also requires the covered entity to limit access to protected health information by identifying the persons or classes of persons within the covered entity who need access to the information to cany out their job duties, the categories or types of protected health information needed, and conditions appropriate to such access. See 45 164.502 and We are pleased to inform you that your complaint in this matter has been resolved. As part of its investigation. OCR has provided Wiliiam Beaumont Hospital with guidance to comply with the Privacy Rule. Specifically, the covered entity will take the following steps to comply with the Privacy Rule: P3932 {bli?libliilici 1. Conduct an internal investigation of the altegation. 2. Based on the ?ndings of the internal investigation take the following actions: a. Review and update if needed, the covered entity?s HIPAA policy and procedure with respect to the minimum necessary, uses and disclosures and safeguards of PHI. b. Refrain staff that disclosed the complainant?s PHI regarding the covered entity?s HIPAA policy and procedures related to the minimum necessary, uses and disclosures and safeguards of PHI. 0. Determine whether sanctioning staff is appropriate. 3. As required by the Breach Notification Rule conduct a risk assessment to determine whether the incident constitutes a breach. It so, notify you. Report the breach incident to HHS using the online breach reporting tool found at Additionally. document the impermissible disclosure in your medical record for accounting of disclosure purposes. Based on the foregoing, OCR is closing this case without further action. effective the date of this letter. Under the Freedom of Information Act. we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Cheylisia Edwards, Investigator, at (212) 264-4148 (Voice) or (212) 264-2355 (TDD). g/F~ Inda C. Colon Regional Manager Sincerely,