i

Mi US. DEPARTMENT OF HEALTH HUMAN SERVICES

Of?ce of the Regional Manager
Of?ce for Civil Rights

999 13* Street

South Terrace, Suite 417
Denver, Colorado 80202
Telephone: (303) 844-7915
FAX: (303] 344-2025

TDD: {303} 344-3439

 

August 23, 2012

 

 



 

 

J.

 

Re: Prater v. Veteran?s Administration Clinic Alamosg, Colorado
OCR Transaction Number: 12-144269
Dear 

 

 

 

On June 4, 2012, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region received your complaint. You alleged that the Veteran?s
Administration Clinic in Alamosa, Colorado (VA Clinic) has violated the Federal Standards for
Privacy of Individually Identi?able Health Information andfor the Security Standards for the
Protection of Electronic Protected Health Information (45 Code of Federal Regulations (C.F.R.)
Parts 160 and 164, Subparts A, and E, the Privacy and Security Rules). Speci?cally, you
allege that, on lune 1, 2012, you entered the VA Clinic and the nurse at the front desk began
discussing information that included your protected health information (PHI) which information
you allege could be overheard by others in the waiting area. This allegation, if substantiated,
could re?ect a violation of 45 CPR 164.502(a) and Thank you for bringing this
matter to attention. Your complaint plays an integral part in enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules. OCR also enforces Federal
civil rights laws, which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

The Privacy Rule permits certain incidental uses and disclosures of PHI that occur-as a by-
product of another permissible or required use or disclosure of PHI, as long as the covered entity
has applied reasonable safeguards and implemented the minimum necessary standard, where
applicable, with respect to the primary use or disclosure.l For example, the Privacy Rule permits
covered health care providers to share PHI for treatment purposes without patient authorization

 

45 can. 

 

Page 2

as long as they use reasonable safeguards when doing so. These safeguards may vary depending
on the mode of communication used. For example, when discussing patient health information
orally with another provider or the patient in proximity of others, a doctor may be able to
reasonably safeguard the information by lowering hisfher voice or moving to a more private
location.

We have care?illy reviewed your complaint against the VA Clinic and have determined to
resolve it informally through the provision of technical assistance. Should OCR receive a similar
allegation of noncompliance against the VA Clinic in the ?ame, OCR may initiate a formal
mvestigation of that matter.

Based on the foregoing, OCR is closing your complaint without ?irther action, effective the date
of this letter. determination as stated in this letter applies only to the allegations in the
complaint that OCR reviewed.

Under the Freedom of Information Act, we may be required to release this letter and other
information about the subject matter upon request by the public. In the event OCR receives such
a request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding disposition of your complaint, please contact Ms.

Kelly Lewis J.D., Equal Opportunity Specialist, at (303) 344-7833 or via email at
kellv.lewis@hhs.gov. Thank you. 

Sincerely,



Velveta Howell
Regional Manager