161 et" ?mm? - DEPARTMENT OF HEALTH 8: HUM AN SERVICES Office of the Secretary Voice (212) 264-3313, (soc) sea-1019 TDD - (212) 254.2355, loco) sat-r597 Fax - (212} 264-3039 We? Of?ce for- Civil Rights, Region II Jacob Javits Federal Building 26 Federal Plaza, Suite 3312 New York, NY 10273 Veteran?s Association Hospital 7er Middleville Road AUG 0 7 2013 Re: OCR Transaction Number 13-152336 Dear Privacy Officer: On November 19. 2012 the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), received a complaint ?led by (the complainant) alle in that an employee of the Veteran?s Association Hospital (the covered entity) named I (his child?s mother) has violated the Federal Standards for Privacy of Individually Identifiable Health Information (45 CPR. Parts 160 and 154, Subparts A and E, the Privacy Rule). Speci?cally, the complainant alleges that a staff member of the covered entity who is not Involved his healthcare impermissiny accessed his medical record. This allegation could re?ect a violation of 45 C.F.R. 154.510 and OCR enforces the Privacy, Security, and Breach Notification Rules, and also enforces the Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. Pursuant to the Privacy Rule, a covered entity may not use or disclose protected health information (PHI) except as permitted or required by the Privacy Rule. As long as an individual does not object, a covered entity is allowed to share or discuss the individual?s health information with the individuals family, friends, or others involved in the individual?s care or payment for their care. The covered entity may ask the individual's permission, may tell the individual that the covered entity plans to discuss the information and give the individual an opportunity to object, or may decide, using the covered entity?s professional judgment, that the individual does not object. However, in any of these cases, the covered entity may discuss o_nly the information that the person involved needs to know about the individual?s care or payment for their care. The minimum necessary provision of the Privacy Rule also requires the covered entity to limit access to protected health?infonnation by identifying the persons or classes of persons within the covered entity who need access to the information to carry out theirjob duties, the categories or types of protected health information needed, and conditions appropriate to such access. Finally, a covered entity must provide a process for individuals to make complaints concerning the covered entity?s policies and procedures required by the Privacy Rule or its compliance with such policies and procedures or with the requirements of the Privacy Rule. 45 C.F.R. 164.530 In this matter, the complainant alleges that the complainant's PHI was impermissiny disclosed to a member of the complainant?s family or to an acquaintance of the complainant or that the Page 2 - Privacy Of?cer complainant's PHI was othenvise impermissiny used by an employee of the Veteran's Association Hospital. Pursuant to its authority under 45 C.F.R. 160.304la) and (bi, OCR has determined to resolve this matter informally through the provision of technical assistance to the Veteran?s Association Hospital. To that end, OCR has enclosed material explaining the Privacy Rule provisions related to Disclosures to Family and Friends, the Minimum Necessary Requirement, and Reasonable Safeguards. It is our expectation that you will review these materials closely and share them with your staff as part of the Health insurance Portability and Accountability Act training you provide to your workforce. it is also our expectation that you will assess and determine whether there may have been an incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to ensure such noncompliance does not occur in the future. Please contact OCR if you need further information regarding the allegations in this matter. Should OCR receive a similar allegation of noncompliance against the Veteran?s Association Hospital in the future, OCR may initiate a formal investigation of that matter. Based on the forgoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of lnforrnation Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, it released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Shirlene Peterson at (212) 264-3979 (Voice), or at (212) 264-2355, {800) 537-?69? (TDD). Sincerely, lid/F C. Colon Regional Manager cg; It'lli?iilbllillCl I RHIA, CIPP, CIPPIG VHA Privacy Implementation Coordinato' 1 1 information Access and Privacy Office (WNW Department of Veterans Affairs-Veterans Health Administration 810 Vermont Avenue, NW Washington, DC 20420 Enclosures: Disclosures to Family and Friends The Minimum Necessary Requirement Reasonable Safeguards tame ulna?, DEPARTMENT OF HEALTH 8: HUMAN SERVICES 0mm 0f the 536m?! f\ ?v'oice (212) 264-3313. {800} 363-1019 O?ice for Civil Rights, Region II TDD - (212) 264-2355. (800) 53369? Jacob Javits Federal Building Fax (212) 264-3039 26 Federal Plaza, Suite 3312 New York, NY were 'Iblt?itbltiltcl AUG 0 2013 Re: OCR Transaction Number 13-152336 Bea, On November 19, 2012 the US. Department of Heailh and Human Services Of?ce for Civil Rights (OCR), received your complaint alleging that your child?s mother whom is an employee of the Veteran's Association Hospital (the covered entity) has violated the Federal Standards for Privacy of Individually Identi?able Health Information [-45 C.F.R. Parts 160 and 164, SubpartsA and E, the Privacy Rule). Specifically, you allege that a staff member of the covered entity whom is not involved with your healthcare impermissiny accessed your protected health information. This allegation could reflect a violation of 45 C.F.R. 164.510 and Thank you for bringing this matter to attention. Your complaint plays an integral part in OCR's enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces the Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race. color, nationai origin, disability. age, and under certain circumstances, sex and religion A covered entity may not use or disclose protected health information except as permitted or required by the Privacy Rule. As long as an individual does not object, a covered entity is allowed to share or discuss with the individual?s family, friends, or other persons identified by the individual the protected health information that is directly relevant to such person?s involvement with the individual's care or payment for care. The covered entity may ask the individual?s permission, may tell the individual that the covered entity plans to discuss the information and give the individual an opportunity to object. or may decide, using the covered entity?s professional judgment, that the individual does not object. However, in any of these cases, the covered entity may discuss o_nly the information that the person involved needs to know about the ind ividual?s care or payment for their care. The minimum necessary provision of the Privacy Rule also requires the covered entity to limit access to protected health information by identifying the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and conditions appropriate to such access. - Finally, a covered entity must provide a process for individuals to make complaints concerning the covered entity's policies and procedures required by the Privacy Rule or its compliance with such policies and procedures or with the requirements of the Privacy Rule. 45 C.F.R. 164.530 We have carefully reviewed your complaint against the Veteran?s Association Hospital and have determined to resolve this matter infon'naliy through the provision of technical assistance to the Veteran?s Association Hospital. Shoutd OCR receive a similar allegation of noncompliance against the Veteran?s Association Hospital in the future, OCR may initiate a formal investigation of that matter. {hit?ithimici Pagez- Based on the foregoing, OCR is closing this case without further action, effective the date of this tetter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. in the event OCR receives such a request, we will make every effort, as permitted by law. to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Shirlene Peterson at (212) 264-3979 (Voice), or at (212) 264-2355, (800) 537369? (TDD). Regional Manager Enclosures: Disctosures to Family and Friends The Minimum Necessary Requirement Reasonable Safeguards