all-V1033,

pr a.
i
i DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY
Voice-(21533514441, 
a? (FAX) (215;. 351.4431  Of?ce for Civil Rights, Rogion n1
mm 150 5. Independence Mall West
Public Ledger Building, Suite 372
Philadelphia, PA 19105-3499
June 3, 2012
Privacy O?icer
Kaiser Permanente
2101 East Je??erson Street

Rockville, Maryland 20352

 



 

 

 

Our Transaction number: 133870

Dear Privacy Of?cer:
(endemic)

 

 

 

 

Please be advised that the Department of Health and Human Services (HHS), O?ice for Civil
Rights (OCR) received a complaint on October 28, 2011 alleging that Kaiser Pennanente is not in
compliance with the Federal standards for privacy of individually identi?able health information 
Privacy Rule, 45 can. Parts 160 and 154, Subparts A, and E). Speci?cally
(the complainant) alleges that Kaiser Permanente denied him access to copies of the

retested health information lavas the personal representative of
After several requests, they did produce the records.

OCR is responsible for enforcing the Privacy and Security Rules as it applies to covered entities.
Covered entities include health care ciearinghouses, health plans and, health care providers that
nansrnit health information in electronic form in connection with a transaction for which the
Department of Health and Human Sendces has adopted standards (See 45 C.F.R. Part 162).

This letter is intended to provide you widi information about the requirements of the Privacy Rule
with respect to an individual?s right to access their protected health information maintained by a
health care provider. The Privacy Rule, gives an individual the right of access to
inspect and to obtain a cepy of hisfher protected health infonnation. It does not require that
covered entities send medical information to other health care providers or to other entities. In
addition, the Privacy Rule, allows covered entities to charge a reasonable fee to
individuals who have the right to access their protected health infonnation. Under the Privacy
Rule, at 45 C.F.R. covered entities must respond to a request to access
protected health information within 30 days from the day of receipt of the request. In the case of
the correspondence received by this of?ce, the request for records was ?il?lled but not within the
30 days as mandated by the Privacy Rule. For this reason, OCR is providing Technical Assistance
with this letter about the requirements of the Privacy Rule and its obligation to comply with those

 

 

obligations.

Please be advised, if OCR received additional complaints which indicate potential Privacy Rule
Violations, OCR may pursue appropriate enforcement actions.

Ifyou should have anyr questions, or would like additional information, please do not hesitate to
contact Ms. Maureen Carney, Investigator, at (215) 861-4439.

Sincerely,

lene L. Rey

Acting Regional Manager