vb fm. acme DEPARTMENT OF HEALTH OFFICE OF THE 5 Voice {611'} 565-1340, (300) 363-1019, TDD 565- I343, {300] 537-7697 FAX (511') 565-3309, Ollie: for Civil Right, Region I JFK Federal Building. Room 1875 Governmt Center Bitten, MA 01203-0002 MAR 9 2012 privacyO?icer Brattleboro Retreat PO Box 803 Brattleboro, VT 05301 Our Reference number: 01-12-136546 Deal- and {blt?libltiltcl On December 20, 2011, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health Information and! or the Security Standards for the Protection of Electronic Protected Health Infonnation (45 CFR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the complaint alleged that Brattleboro Retreat impermissiny disclosed a patient?s protected health information (PHI) without authorization. Further, the complaint alleged that Btattleboro Retreat did not respond reports of these allegations. These allegations could re?ect violations of 45 C.F.R. 164.502 164.503 and 164.530 respectively. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circm?nstances, sex and religion. On February 1, 2012 OCR noti?ed Brattleboro Retreat of the complaint. The complaint alleged that Brattleboro Retreat disclosed the complainant?s PHI to a family member without her authorization and did not respond to her report of this disclosure. investigation con?rmed the allegation; a Brattleboro Retreat employee relied on an invalid authorization in the patient?s ?le to make the disclosure. In response to this incident, Brattleboro Retreat took the following steps: the responsible employee was sanctioned according to Brattleboro Retreat?s sanctions policy; the employee was retrained; an accounting of the disclosure was made in the complainant?s ?le; Brattleboro Retreat mitigated the harm by discussing the matter with the complainant on several occasions, and a notation was made in the complainant?s ?le that no PHI should be released without an updated authorization from her. Transaction 01-12-136546 OCR reviewed Brattleboro Retreat?s policies and procedures regarding uses and disclosures of PHI and authorizations and they appear to be in compliance with the Privacy Rule. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of Brattleboro Retreat. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted bylaw, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Monika Rushford, Investigator, at (617) 565-1345 (Voice), (617) 565-1343 (TDD). Sincerely, Peter K. Chan Regional Manager