RV CE 0. d- gal crank it? DEPARTMENT OF HEALTH 3: HUMAN SERVICES OFFICE OF THE SECRETARY 52% Wice- {212) 2154-3313, {80(1) 353-1019 Of?ce for Civil Rights, Region term (?g?zggf355 Jacob Javits Federal Building 1 ?[119 1039} 26 Federal Plaza, Suite 3312 rim??rs.? New York, NY were SEP 2 7 2313 Re: OCR Transaction Number: 12-13735 Dear On June 14, 2012, the Department of Health and Human Services (HI-IS), Office for Civil Rights (OCR) received your complaint alleging that the New York Presbyterian Hospital (the covered entity), has violated the Federal Standards for Privacy of Individually Identi?able Health lnfonnation andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, you allege that the covered entity failed to safeguard your protected health information (PI-II). You assert that in July 201 l, the covered entity noti?ed you that they found your briefcase which contained your name, address, date of birth, social security number, diagnoses and health history. You further asSen that the briefcase belonged to your social worker assigned to your case who admitted to losing the briefcase that contained your ?le and other patient ?les in March 201 and did not report it missing. These allegations could reflect violations of 45 CPR. ?164.404, ?164.408 and ?l64.4l4 respectively. Thank you for bringing this matter to attention. Your complaint is an integral part of enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. A covered entity may not use or disclose an individuals? PHI without an authorization unless permitted or required by the Privacy Role. In addition, a covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use or disclosure pursuant to otherwise permitted or required use or disclosure. We are pleased to inform you that your complaint in this matter has been resolved. As part of its investigation, OCR has provided the New York Presbyterian Hospital with guidance to comply with the Privacy Rule requirements. The New York Presbyterian Hospital provided OCR with documentation that it has taken the following steps toward coming into compliance with the Privacy Rule: Pagg 2 lili'li?libll'TIiCl I j?h- a. Retrained Social Work staff on safeguarding patient files. 2. Improved the practice of handling ?les when it is not appropriate to take them into a patient?s room. Conducted a focused compliance review with members of the Social Work staff. Disseminated the new practice to Social Work staff. 5. Provided you with two (2) years of credit monitoring and resolution services in the - unlikely event that your personal information from your file was wrongfully used. 6. Determined as required by the Breach Noti?cation Rule that the incident did not constitute a breach. For your informational purposes, OCR has enclosed material regarding the Privacy Rule provisions related to reasonable safeguards. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. Under the Freedom of Information Act, we maybe required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a cleariy unwarranted invasion of personal privacy. if you have any questions regarding this matter, please contact Lisa Lee Anderson, Special Assistant, by email at iisa.anderson@h l_is.gov or by telephone at (212) ?264-2073. Thank you for bringing this matter to our attention. Sine ely, da C. Colon Regional Manager Of?ce for Civil Rights Region II Enclosure: Reasonable Safeguards Page 3 I Reasonable Safeguards 45 CPR. 164.530 A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. See 45 OER. ?164.530 It is not expected that a covered entity?s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients? privacy. Covered entities should also take into. account the potential effects on patient care and may consider other issues, such as the ?nancial and administrative burden of implementing particular safeguards. Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals? health information for instance: . By speaking quietly when discussing a patient?s condition with family members in a waiting room or other public area; 1- By avoiding using patients? names in public hallways and elevators, and posting signs to remind employees to protect patient con?dentiality; - By isolating or looking ?le cabinets or records rooms, or - By providing additional security, such as passwords, on computers maintaining personal information. Protection of patient con?dentiality is an important practice for many health care and health information management professionals; covered entities can build upon those codes of conduct to develop the reasonable safeguards required by the Privacy Rule. a: sign. Est?3q a? 4 DEPARTMENT OF HEALTH 8: SERVICES OFFICE OF THE SECRETARY it. voice {2132643313, (ace) 363-1019 Of?ce for Civil Rights II eglon cum: TDD - {212) 264-2355 Jacob Javits Federal Building EMF) - (212) 2545039 26 Federal Plaza, Suite 3312 New York, NY 10278 Compliance and Privacy Of?cer New York Presbyterian Hos - ital 525 EaSt 68th Street New York, NY 10021 SEP 2 7 2013 Re: OCR Transaction Number: 12437735 Dear On June 14, 2012, the .S. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint alleging that the New York Presbyterian Hospital (the Covered entity), has violated the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the complainant alleged the covered entity failed to safeguard his protected health information (PHI). complainant asserted that in uly 20] 1, the covered entity noti?ed him that they round his briefcase which contained his name, address, date of birth, social security number, diagnoses and health history. The complainant further asserted that the briefcase belonged to his social worker assigned to his case who admitted to losing the briefcase that contained his tile and other patient files in March 2011 and did not report it missing. These allegations could re?ect violations of 45 C.F.R. ?164.404, ?164.408 and ?164.4l4 respectively. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. A covered entity may not use or disclose an individuals? PHI without an authorization unless permitted or required by the Privacy Role. In addition, a covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation-of the Privacy Rule and to limit its incidental use or disclosure pursuant to otherwise permitted or required use or disclosure. OCR is pleascd that, in response to our investigation, the New York Presbyterian Hospital has taken the following steps toward coming into compliance with the Privacy Rule: 1. Retrained Social Work station safeguarding patient files. 2. Improved the practice of handling ?les when it is not appropriate to take them into a patient?s room. {bioirbimtci Page 2 3. Conducted a focused compliance review with members of the Social Work staff. 4. Disseminated the new practice to Social Work staff. 5. Provided you with two (2) years of credit monitoring and resolution services in the unlikely event that your personal information from your file was wrongfully used. 6. Determined as required by the Breach Noti?cation Rule that the incident did not constitute a breach. Please note that, a?er a period of six months has passed, OCR may initiate and conduct a compliance review of the New York Presbyterian Hospital related to your compliance with the Privacy Rule. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Lisa Lee Anderson, Special Assistant, by email at lisa.anderson@hhs.gov or by telephone at (212) 264-2073. Thank you for bringing this matter to our attention. Regional Manager Of?ce for Civil Rights Region