f1 mm}
i

 

DEPARTMENT or HEALTH HUMAN SERVICES Of?ce of the Seme
Kw: Voice - {617) 565-1340. (800) 368-1019 Of?ce for Civil Rights, Region 
TDD - (617} 565-1343. (800) 537-?697 Government Center
:?ax (61 7) J.F. Kennedy Federal Building,
2: MW. $ng . Room 1375
. FEB 2 2014 Boston. MA 02203-0002

 



 

 

 

Our Reference number: 01-]3-155468

 

Dear .

 

 

 

On February 6, 2013, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), received your complaint alleging that the Department of Veterans Affairs
(VA), the covered entity, has violated the Federal Standards for Privacy of Individually
Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy
Rule). Speci?cally, you allege that, on October 26, 2012, you received a large package of
another veteran?s protected health information (PHI). In addition, you allege that on February 5,
2013, the VA mailed your PHI to a private physician. This allegation could re?ect a violation of
45 C.F.R. 164.502(a) and .

Thank you for bringing this matter to attention. Your complaint piays an integral part in I
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

The Privacy Rule allows health care providers and health plans to share protected health
information (PHI) for permitted purposes using the mail or fan, as long as they use reasonable
and appropriate administrative, technical, and physical safeguards to protect the privacy of the
PHI. 45 CPR. These safeguards may vary depending on the mode of
communication used. For example, when faxing PHI to a telephone number that is not used
regularly, a reasonable safeguard may involve a covered entity ?rst con?rming the fax number
with the intended recipient of the fax.

We have carefully reviewed your complaint against the VA and have determined to resolve this
matter informally through the provision of technical assistance to the VA, Should OCR receive a
similar allegation of noncompliance against the VA in the future, OCR may initiate a formal
investigation of that matter. 

Basedon the foregoing, OCR is closing this case without further action, effective the date of this

OCR Transaction Page No.: 2

letter. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Erin Walker, Investigator, at
Erin.Walker@hhs.gov, or (617) 565-1351 (Voice), (800) 537-7697 (TDD).

Thank you for bringing this matter to our attention.

Sincerely,

WW

Susan M. Pezzullo Rhodes
Acting Regional Manager

DEPARTMENT OF HEALTH HUMAN SERVICES 0m? 0w? 3m?

 

Voice - (617} 565-1340. (800} 363-1019 Of?ce for Civil Rights, Region I

TDD Government Center
Fax - (617) 565-3809 J.F. Kennedy Federal Building.
FEB 2 0 2014 Room 1375

Boston, MA 02203-0002

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

VHA Privacy Implementation Coordinator

Information Access and Privacy Of?ce- 10P2C1

Department of Veterans Affairs-Veterans Health Administration
810 Vermont Ave, NW

Washington DC 20420

Our Reference number: 01-13-15 5468
Dear Ms. Wilson:

On April 15, 2013, the Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region I received a complaint alleging that the Department of Veteran Affairs
(VA), the covered entity, has violated the Federal Standards for Privacy of Individually
Identi?able Health Information (45 f? Parts 160 and 164, Subparts A and E, the Privacy
Rule). Speci?cally, the complainant, alleges that, on October 26, 2012, he
a ge package of another veteran?s protected health information (PHI). In addition,

 

 

 

 

 

 

 

received
{b?mimm'ici alleges that on February 5, 2013, the VA mailed his PHI to a private physician in

 

error. This legation could re?ect a violation of 45 C.F.R. 164.502(a) and 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civii rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

Generally, the Privacy Rule permits a covered entity to make disclosures of protected health
information (PHI) for a pennitted purpose, through a variety of means, such as by mail or
facsimile machine, as long as the covered entity, when doing so, uses reasonable and appropriate
administrative, technical, and physical safeguards to protect the privacy of the PHI. See 45
CPR. These safeguards may vary depending on the mode of conununication
used. For example, when faxing PHI to a telephone number that is not used regularly, a
reasonable safeguard may involve a covered entity ?rst con?rming- the fax number with the
intended recipient of the fax.

In this matter, the complainant alleges that PHI was impermissiny disclosed either through the
mail or by fax. Pursuant to its authority under 45 CPR. 160.304(a) and OCR has
determined to resolve this matter informally through the provision of technical assistance to VA.
To that end, OCR has enclosed a checklist of reminders on how to safely use the mail or fax 
machines when sending PHI.

Page No; 2, OCR Transaction Number: 01-13-155468

You are encouraged to review these materials closely and to share them with your staff as part of
the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been an
incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the
steps necessary to ensure such noncompliance does not occur in the future. Please contact OCR
if you need further information regarding the allegations in this matter. Should OCR receive a
similar allegation of noncompliance against the VA in the future, OCR may initiate a formal
investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this complaint 
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every e?ort, as permitted by law, to protect infonnation that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Erin Walker, Investigator, at
(617) 565-1351 (Voice), (800) 537-7697 (I DD).

Sincerely, -

Susan M. Pezzullo Rhodes
Acting Regional Manager

Enclosure: Checklist

f1 mm}
i

 

DEPARTMENT or HEALTH HUMAN SERVICES Of?ce of the Seme
Kw: Voice - {617) 565-1340. (800) 368-1019 Of?ce for Civil Rights, Region 
TDD - (617} 565-1343. (800) 537-?697 Government Center
:?ax (61 7) J.F. Kennedy Federal Building,
2: MW. $ng . Room 1375
. FEB 2 2014 Boston. MA 02203-0002

 



 

 

 

Our Reference number: 01-]3-155468

 



 

 

Dear

 

On February 6, 2013, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), received your complaint alleging that the Department of Veterans Affairs
(VA), the covered entity, has violated the Federal Standards for Privacy of Individually
Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy
Rule). Speci?cally, you allege that, on October 26, 2012, you received a large package of
another veteran?s protected health information (PHI). In addition, you allege that on February 5,
2013, the VA mailed your PHI to a private physician. This allegation could re?ect a violation of
45 C.F.R. 164.502(a) and .

Thank you for bringing this matter to attention. Your complaint piays an integral part in I
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

The Privacy Rule allows health care providers and health plans to share protected health
information (PHI) for permitted purposes using the mail or fan, as long as they use reasonable
and appropriate administrative, technical, and physical safeguards to protect the privacy of the
PHI. 45 CPR. These safeguards may vary depending on the mode of
communication used. For example, when faxing PHI to a telephone number that is not used
regularly, a reasonable safeguard may involve a covered entity ?rst con?rming the fax number
with the intended recipient of the fax.

We have carefully reviewed your complaint against the VA and have determined to resolve this
matter informally through the provision of technical assistance to the VA, Should OCR receive a
similar allegation of noncompliance against the VA in the future, OCR may initiate a formal
investigation of that matter. 

Basedon the foregoing, OCR is closing this case without further action, effective the date of this

OCR Transaction Page No.: 2

letter. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Erin Walker, Investigator, at
Erin.Walker@hhs.gov, or (617) 565-1351 (Voice), (800) 537-7697 (TDD).

Thank you for bringing this matter to our attention.

Sincerely,

WW

Susan M. Pezzullo Rhodes
Acting Regional Manager

DEPARTMENT OF HEALTH HUMAN SERVICES 0m? 0w? 3m?

 

Voice - (617} 565-1340. (800} 363-1019 Of?ce for Civil Rights, Region I

TDD - (517) 565-1343. (soc) ear-rear Government Center
Fax - (617) 565-3809 J.F. Kennedy Federal Building.
FEB 2 0 2014 Room 1375

Boston, MA 02203-0002

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

VHA Privacy Implementation Coordinator

Information Access and Privacy Of?ce- 10P2C1

Department of Veterans Affairs-Veterans Health Administration
810 Vermont Ave, NW

Washington DC 20420

Our Reference number: 01-13-15 5468
Dear Ms. Wilson:

On April 15, 2013, the Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region I received a complaint alleging that the Department of Veteran Affairs
(VA), the covered entity, has violated the Federal Standards for Privacy of Individually
Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy
Rule). Speci?cally, the complainant,  ibli53=ibliiltcl that, on October 26, 2012, he
received a large package of another veteran?s protected health information (PHI). In addition,
alleges that on February 5, 2013, the VA mailed his PHI to a private physician in
error. . legation could re?ect a violation of 45 C.F.R. 164.502(a) and 

 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civii rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

Generally, the Privacy Rule permits a covered entity to make disclosures of protected health
information (PHI) for a pennitted purpose, through a variety of means, such as by mail or
facsimile machine, as long as the covered entity, when doing so, uses reasonable and appropriate
administrative, technical, and physical safeguards to protect the privacy of the PHI. See 45
CPR. These safeguards may vary depending on the mode of conununication
used. For example, when faxing PHI to a telephone number that is not used regularly, a
reasonable safeguard may involve a covered entity ?rst con?rming- fax number with the
intended recipient of the fax.

In this matter, the complainant alleges that PHI was impermissiny disclosed either through the
mail or by fax. Pursuant to its authority under 45 CPR. 160.304(a) and OCR has
determined to resolve this matter informally through the provision of technical assistance to VA.
To that end, OCR has enclosed a checklist of reminders on how to safely use the mail or fax 
machines when sending PHI.

Page No; 2, OCR Transaction Number: 01-13-155468

You are encouraged to review these materials closely and to share them with your staff as part of
the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been an
incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the
steps necessary to ensure such noncompliance does not occur in the future. Please contact OCR
if you need further information regarding the allegations in this matter. Should OCR receive a
similar allegation of noncompliance against the VA in the future, OCR may initiate a formal
investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this complaint 
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every e?ort, as permitted by law, to protect infonnation that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Erin Walker, Investigator, at
(617) 565-1351 (Voice), (800) 537-7697 (I DD).

Sincerely, -

Susan M. Pezzullo Rhodes
Acting Regional Manager

Enclosure: Checklist