JFK Federal Building, Room 1875 Government Center Boom-,MA 02203-01102 Ma" i one HEAL TARY .5 Voice (an) 555?1340. (soc) 353-1019, run (517} 555- 1343, (300) 537-7597 FAX (617) 555.3309, an; 391 Office for can we, Region] SEP 2 3 2013 {blt?ltbl??ltcl RHIT Privacy Officer Brattleboro Retreat Anne Marsh Lane P.0. Box 803 Brattleboro, VT 05302 Our Reference number: 13-156756 {meters} Dear {Cl On March 12, 2013, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of Individually identifiable Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the complaint alleges that Brattleboro Retreat has insufficient safeguards for systems containing patient protected health information. This allegation could re?ect a violation of 45 CPR. ?164.530(c) OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. i On June 27, 2013, OCR noti?ed Brattleboro Retreat of the complaint. Brattleboro Retreat provided us with written assurance of the following: it switched to an electronic health record in February 2012; this system was initially implemented such that the search ?mction would show clients beyond the searching employee?s caseload. After reviewing this issue, Brattleboro Retreat updated their software and altered the search function such that employees cannot view patient information of patients not in their caseloads. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of Brattleboro Retreat. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect infonnation that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Phil Lewis, Investigator, at (617) 565-1355 (Voice), (617) 565-1343 (TDD). Sincerely, Emu/rumba? Peter K. Chan Regional Manager . it bq? 5 on]? FFI TARY - Voice (cm 555-1340. (soc) sea-1019, TDD (611) 565- 1343, (son) sat?r591 Sh.? FAX {617) 565-3809, [Inn'?urwwh? gm Of?ce for Civil Rights, Region I - JFK Federal Building. Room 1315 Government Center SEP 2 3 2013 Boston. oases-non: {blt?libltiltcl Our Reference number: 13-156756 Dear On March 12, 2013, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the complaint alleges that Brattieboro' Retreat has insufficient safeguards for systems containing patient protected health information. This allegation could re?ect a violation of 45 C.F.R. ?164.530(c) dc OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. On June 2013, OCR noti?ed Brattleboro Retreat of the complaint. Brattleboro Retreat provided us with mitten assurance of the following: it switched to an electronic health record in February 2012; this system was initially implemented such that the search function would show clients beyond the searching employee?s caseload. After reviewing this issue, Brattleboro Retreat updated their software and altered the search function such that employees cannot view patient information of patients not in their caseloads. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of Brattleboro Retreat. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Phi] Lewis, Investigator, a: 565-1355 (Voice), (617) 565-1343 (T DD). Sincerely, Mme Peter K. Chan Regional Manager