DEPARTMENT OF HEALTH HUM AN SERVICES Of?ce ?fth-E Secretary

Voice - (212) 264-3313, (BOD) 368-101 9 Of?ce for Civil Rights. Region II
TDD - (212) 264?2355, (BOO) 5317697 Jacob Javits Federal Building
Fax - (212) 254-3039 26 Federal Plaza, Suite 3312
New York, Ny 10273

VA St Louis Healthcare System  1 0 2013
Belleville IL Community Based Outpatient Clinic

6500 Westmain

Beileville, IL 62202

Attn: Privacy Of?cer

Re: OCR Transaction Number 12-14558?

Dear Privacy Of?cer:

On July 3, 2012 the U.S. Department of Health'and Human Services (HHS), Of?ce for Civil Ri 
(OCR), Region office received a complaint ?led bylibi?iibi'ii'iici  ofbfo lbiiel=ibmici I
alleging that the VA St. Louis Healthcare System, Belleville IL Community Based Outpatient Clinic

(the covered entity) has violated the Federal Standards for Privacy of Individually Identi?able Health
Information (45 C.F.R. Parts 160 and 164, Subparls A and E, the Privacy Rule). Please be advised
that the complaint was referred to the Region II of?ce for consideration. Speci?cally, the complainant
alleges that a nurse of the covered entity released his father?s medical information without his father?s
consent or knowledge. This allegation could re?ect a violation of 45 C.F.R. 164.502Ia), 164.510

and 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces the Federal
civil rights laws which prohibit discrimination in the delivery of health and human services because of
race, color, national origin, disability, age, and under certain circumstances, sex and religion.

OCR has determined that the following corrective actions are needed to bring the VA St. Louis
Healthcare System, Belleville IL Community Based Outpatient Clinic into compliance with the Privacy
and Breach Noti?cation Rules;

1. Conduct an internal investigation regarding the alleged incidents;
2. Based on the ?ndings of the internal investigation take the following actions:
a. Retrain staff that disclosed record with respect to uses and
disclosures of PHI
b. Determine whether sanctioning staff is appropriate
c. As required by the Breach Notification Rule, conduct a risk assessment of the
impermissible disclosure to determine whether it constitutes a breach
i. If appropriate, notify the complainant
ii. Report the breach incident to HHS using the online breach reporting tool found
at http:ilocmotificaticns.hhsgov -
Document the impermissible disclosure of the complainant's and her children's
PHI in their record for accounting of disclosure purposes
iv. Determine appropriate actions to mitigate the incident

 

 

Page 2 - Privacy Of?cer

Based on the forgoing, OCR is closing this case without further action, effective the date of this letter.
determination as stated in this letter applies only to the allegations in this complaint that were
reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other information
about this case upon request by the public. In the event OCR receives such a request, we wili make
every effort. as permitted by law, to protect information that identi?es individuals or that, if released,
could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Shirlene Peterson at (212) 264-3979 (Voice), or at (212)
264-2355. (800) 537-7697 (TDD).

 

Regional Manager

Cc: Ms. Andrea Wilson, CIPP, 
VHA Privacy Implementation Coordinator
Information Access and Privacy Office - 10P201
Department of Veterans Affairs~Veterans Health Administration
810 Vermont Avenue, NW
Washington, DC 20420

Enclosures: Disclosures to Family and Friends
The Minimum Necessary Requirement
Reasonable Safeguards

 

 

0} alum


5.5

DEPARTMENT OF HEALTH 8: HUMAN SERVICES


day. its.

Of?ce of the Secretary

 

Voice- {212) 264-3313. (800} seems
TDD - {212) 264-2355. (300} 537-769?
Fax - {212) 264-3639



Of?ce for Civil Rights, Region II
Jacob Javits Federal Building
26 Federal Plaza, Suite 3312
New York, NY 1027'8

 

 



SEP 1 0 2013

 

 

Re: OCR Transaction Number 12-14558?

Dear {blt?libltilici

On July 3, 2012 the US. Department of Health and Human Services (HHS), Office for Civil Rights
(OCR), Region office received your complaint ofbic  ibli53=ibliilicl Iaileging that the VA St.
Louis Healthcare System, Belleville IL Community Based Outpatient Clinic (the covered entity} has
violated the Federal Standards for Privacy of individually Identi?able Health Information {45 C.F.R.
Parts 150 and 164, Subparts A and E, the Privacy Rule). Please be advised that your complaint was
referred to the Region II of?ce for consideration. Speci?cally, your complaint alleges that a nurse of
the covered entity released your father's medical information without his consent or knowledge. This
allegation could re?ect a violation of 45 C.F.R. 164.502tal, 164.510 and 164.530tc).

Thank you for bringing this matter to DCR's attention. Your complaint is an integral part of 
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights laws
which prohibit discrimination in the delivery of health and human services because of race, color,
national origin, disability, age, and under certain circumstances, sex and religion.

A covered entity may not use or disclose an individual?s protected health information (PHI) without an
authorization unless permitted or required by the Privacy Rule. In addition, a covered entity must
maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent
intentional or unintentional use or disclosure of PHI in violation of the Privacy Flute and to limit its
incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.

We are pleased to lnfonn you that your complaint in this matter has been resolved. As part of its
investigation, OCR has provided the VA St. Louis Healthcare System, Belleville IL Community Based
Outpatient Clinic with guidance to comply with the Privacy and Breach Noti?cation Rules. Speci?cally,
OCR has determined that the following corrective actions are needed to bring the VA St. Louis
Healthcare System, Belleville IL Community Based Outpatient Clinic into compliance with the Privacy and
Breach Noti?cation Rules:

1. Conduct an internai investigation regarding the alleged incidents;
2. Based on the ?ndings of the internal investigation take the following actions:
a. Retrain staff that disclosed PHlimedical record with respect to? uses and
disclosures of PHI
b. Determine whether sanctioning staff is appropriate
c. As required by the Breach Notification Rule, conduct a risk assessment of the
impermissible disclosure to determine whether it constitutes a breach

 

 

 

us.ur 
Page appropriate, notify the complainant
ii. Report the breach incident to HHS using the online breach reporting tool found
at 
Document the impermissible disclosure of the complainant's and her children's
PHI in their record for accounting of disclosure purposes
iv. Determine appropriate actions to mitigate the incident

For your informational purposes, OCR has enclosed material regarding the Privacy Rule provisions.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
tenet

Under the Freedom of Information Act, we may be required to release this letter and other information
about this case upon request by the public. In the event OCR receives such a request, we will make
every effort, as permitted by law, to protect information that identi?es individuals or that, if released.
could constitute a clearly unwarranted invasion of personal privacy.

If you have any' questions, please contact Shirlene Peterson at (212) 264-3979 {Voice}, or at (212)
264-2355, (300) 537-7697 (TDD).

 

Enclosures: Disclosures to Family and Friends
The Minimum Necessary Requirement
Reasonable Safeguards