DEPARTMENT OF HEALTH 8: HUMAN SERVICES

 

Of?ce of the Secretary

 

Voice . (e171 
TDD - (cm 565-1343. (coo) 537.7397
Fax - (e171 ass-sees



Of?ce for Civil Rights, Region I
Govemrnent Center

J.F. Kennedy Federal Building.
Room 13?5

Boston, MA 2203-0002

NOV 2 5 2013

 



 

 

 

Our Transaction Number: 01-12-145440

 



Dear

 

 

 

On July 6, 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), received your complaint alleging that Brattleboro OBIGYN, has violated the
Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security
Standards for the Protection of Electronic Protected Health lnfonnation (45 CPR. Parts 160 and
164, Suhparts A, C, and E, the Privacy and Security Rules). Speci?cally, you allege that,
Brattleborc OBIGYN impermissiny disclosed a patient?s protected health information in sending
his medical information to a debt collection agency. This allegation could re?ect a violation of
45 CPR. 164.502(b) and 

Thank you for bringing this matter to attention. Your complaint is an integral part of
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

A central aspect of the Privacy Rule is the principle of ?minimum necessary? use and disclosure.
A covered entity must make reasonable efforts to use, disclose, and request only the minimum
amount of protected health information needed to accomplish the intended purpose of the use,
disclosure, or request. When the minimum necessary standard applies to a use or disclosure, a
covered entity may not use, disclose, or request the entire medical record for a particular
purpose, unless it can speci?cally justify the whole record as the amount reasonably needed for
the purpose. For example, a covered entity may disclose billing information to a collection
agency, but may not be permitted to disclose a patient?s treatment information

We have carefully reviewed your complaint against Brattleboro OBIGYN and have determined
to resolve this matter informally through the provision of technical assistance to Brattleboro
OBIGYN. Should OCR receive a similar allegation of noncompliance against Brattleboro
OBIGYN in the future, OCR may initiate a formal investigation of that matter.

 

 

For your informational purposes, OCR has enclosed material regarding the Privacy Rule
provisions related to Minimum Necessary.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a 
request, we will make every effort, as permitted bylaw, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Keisha Edwards, Investigator, at
(617) 565-1349 (Voice) or (617) 565-1343, (800) 

Sincerely,

WW

Peter K. Chan -
Regional Manager

Enclosure: The Minimum Necessary Requirement

 

 

or than??
i



 

DEPARTMENT OF HEALTH 8: HUMAN SERVICES

Of?oeoftthecmtary

 

Voice . (317} 555.1340, (soc) see?1019
TDD - (cm 565-1343. (coo) 
Fax - (em sea-sacs

 not 2520a

 

 

{bite} {bltl'liCl

CPC

 

 

Brattleboro OBIGYN

2] Echo

ont Ave

Brattelboro, VT 05363

Our Transaction Number: 01-12-145440

 

Dear {bli?litl?l?ll

 

 

 

Of?ce for Civil Rights. Region I
Govemment Center

J.F. Kennedy Federal Building,
Room 1375

Boston, MA 2203-0002

On July 6, 2012, the US. Department of Health and Human Services Of?ce for Civil
Rights (OCR), received a complaint alleging that Erattleboro OBIGYN, has violated the Federal
Standards for Privacy of Individually Identi?able Health Information andfor the Security
Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and
164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the complainant
alleges that, Brattleboro impermissiny disclosed a patient?s protected health
information in sending his medical information to a debt collection agency. This allegation

could re?ect a violation of 45 C.F.R. 164.502(b) and 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

In this matter, the complainant alleges that the covered entity disclosed more than the minimum
necessary amount of protected health information (PHI) when providing PHI to a collection
agency or other entity for payment purposes. A central aspect of the Privacy Rule is the principle
of ?minimum necessary? use and disclosure. A covered entity must make reasonable efforts to
use, disclose, and request only the minimum amount of PHI needed to accomplish the intended
purpose of the use, disclosure, or request. When the minimum necessary standard applies to a use
or disclosure, as covered entity may not use, disclose, or request the entire medical record for a
particular purpose, unless it can speci?cally justify the whole record as the amount reasonably
needed for the purpose. For example, a covered entity may disclose billing information to a
collection agency, but may not be permitted to disclose a patient?s treatment information-

Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR has determined to resolve

this matter informally through the provision of technical assistance to Brattleboro To
that end, OCR has enclosed material explaining the Privacy Rule provisions related to Minimum
Necessary.

 

 

Page 2- 01-12-145440

You are encouraged to review these materials closely and to share them with your staff as part of
the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been any
noncompliance as alleged by the complainant in this matter, and, if so, to take the steps
necessary to ensure such noncompliance does not occur in the ?iture. In addition, OCR
encourages you to review the facts of this individual?s complaint and provide the individual the
appropriate written response swiftly if necessary to comply with the requirements of the Privacy
Rule. Should OCR receive a similar allegation of noncompliance against Brattleboro OBIGYN
in the future, OCR may initiate a formal investigation of that matter. In addition, please note
that, after a period of six months has passed, OCR may initiate and conduct a compliance review
of Brattleboro OBIGYN related to your compliance with the Privacy Rule?s provisions related to
Minimum Necessary.

Based on the foregoing, OCR is closing this case without ?mher action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR

Under the Freedom of lnforrnation Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identifies
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
pnvacy.

If you have any questions regarding this matter, please contact Keisha Edwards, Investigator, at
(617) 565-1349 (Voice) or (617) 565-1343, (800) 537-7697 (TDD).

Sincerely,

Peter K. Chan
Regional Manager

Enclosure: The Minimum Necessary Requirement