DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY 1tit-ilee- (215] 861-4441 Of?ce for Civil Rights, Region TDD (215] 861-4440 150 5. Independence Mall West PM - {215} 361?4431 Public Ledger Building, Suite 332 MW Philadelphia, PA 19106-3499 Reference: 13-149592 Investigator: Ralph Balsamo Contact Telephone: 2 15861-4444 July 26. 2013 (bite) Dear Thank you for your correspondence received on or about October 4, 2012, by the Department of Health and Human Services, Of?ce for Civil Rights (OCR). In your complaint, you allege a violation of the Federal Standards for Privacy of Individually Identi?able Health Information andior the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, you allege that employees of the Walter Reed Hospital (covered entity) violated the Privacy Rule by disclosing your protected health information in a setting that was less than private. Thank you for bringing this matter to 0011?s attention. Your complaint plays an integral part in enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, set and religion. The Privacy Rule permits certain incidental uses and disclosures of protected health information (PI-11) that occur as a by?product of another permissible or required use or disclosure of PHI, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 C.F.R. For example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes without patient authorization as long as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of communication used. For example, when discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering hisiher voice. We have care?illy reviewed your complaint against the covered entity and have determined to resolve this matter informally through the provision of technical assistance to the covered entity. Should OCR receive a similar allegation ofnoncomplianee against the covered entity in the future, OCR may initiate a formal investigation of that matter. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you should have any questions, please do not hesitate to contact Mr. Ralph Balsamo of my staff at (215)861-4444 or (215) 861-4440 (TTY). Sincerely, Whaan Barbara . Holland Regional Manager ?imwt. DEPARTMENT HEALT OFFICE OF THE SECRETARY Voice- (215) 361-4441. (215} 861-4440 Of?ce for Civil Rights, Region FM. {215} 5514431 Hill 5. Independence Mall West mm Pubic Ledger Building, Slite 372 Philadelphia, PA 19106-3499 Reference: 13-149692 Investigator: Ralph Balsamo Contact Telephone: 215-86 1-4444 July 26, 2013 Director, Privacy and Civil Liberties Office TRICARE - ement Activity Skyline 5, 51 ll Leesburg Pike Falls Church VA 22041 Dear The US. Department of Health and Human Services Office for Civil Rights (OCR), Region 11] received a complaint alleging that TRICARE, the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information (45 CPR. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, the complainant alleges that, while she was being treated at the Walter Reed Hospital, her protected information was disclosed in a setting that was less than private. This allegation could re?ect a violation of 45 CPR. 164502(a) and 16453002}. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. The Privacy Rule permits certain incidental uses and disclosures of protected health information (PHI) that occur as a by-product of another permissible or required use or disclosure of PHI, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 C.F.R. For example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes without patient authorization as long as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of communication used. For example, when discussing patient information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering hisfher voice. In this matter, the complainant alleges the incidental use or disclosure of PHI was not permissible, eithm because reasonable safeguards were not in place to prevent the use or disclosure andfor because the minimum necessary standard was not implemented when it should have been. Pursuant to its authority under 45 CPR. 160.304(a) and OCR has determined to resolve this matter informally through the provision of technical assistance to the covered entity. To that end, OCR has enclosed material explaining the Privacy Rule provisions related to Incidental Uses and Disclosures, Reasonable Safeguards, and the Minimum Necessary requirement. You are encouraged to review these materials closely and to share them with your staff as part of the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your workforce. You are also encouraged to assess and determine whether there may have been an incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to ensure such noncompliance does not occur in the future. Please contact OCR if you need further information regarding the allegations in this matter. Should OCR receive a similar allegation of noncompliance against the covered entity in the ?iture, OCR may initiate a formal investigation of that matter. Based on the foregoing, OCR is closing this case without ?trther action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you should have any questions, please do not hesitate to contact Mr. Ralph Balsamo of my staff at (215} 861-4444 or (215) 861-4440 CITY). Sincerely, Barbara J. Holland Regional Manager Enclosures: Incidental Disclosures Reasonable Safeguards Minimum Necessary