Wm? 5: OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY voioo? {215) 8614441 Of?ce for Civil Rights, Region 111 as, TDD - {215) 861-4440 . 150 5. Independence Hall West FAX - {215) 351-4431 Public Ledger Building, Suite Philadelphia, PA 1s1oe-3499 Reference: 13-15mm Investigator: Jamie Rahn Ballav Contact Telephone: 215-861?4432 September 26, 2013 I Director, Privacy and Civil Liberties Of?ce TMA Privacy and Civil Lib 7700 Arlington Boulevard, {blitibi'iic? Falls Church, VA 22042-5101 {Dilibltibl Dear we; {biliath On April 16, 2013, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received this complaint alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health andfor the Security Standards for the Protection of Electronic Protected Health Information {45 CPR. Parts 160 and 164 Subparts A, C, and E, the snooty. and Security Rules). Speci?cally, the Complainantalleges that on March 30, 2013, McDonald Anny Health Center (the Covered Entity) sent her mother test results belonging to another patient (the Affected Party). As the Covered Entity?s former Privacy O?icer, the Complainant alleges that errors of this type occurred at least ?ve times per month while she was employed there. These allegations could represent violations of 45 CPR. ?164.502(a) [impermissible usesfdisclosures] and ?164.530(c) [safeguards] of the Privacy Rule and ?164.404{a) [noti?cation to the individual] of the Breach Noti?cation Rule. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which . prohibit discrimination in the delivery of health and human sci-?ees because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. investigation revealed that the Covered Entity mistakenly mailed a referral letter containing the Affected Party?s protected health information (PHI) to the Complainant?s mother on March 27, 2013. As a result, the Covered Entity noti?ed the Affected Party of the incident as per the requirements of the Breach Noti?cation Rules and provided her with an apology letter on May 2, 2013, The Covered Entit}r has con?rmed that this disclosure has been accounted for in its records as the Privacy Rule requires. Furthermore, the (Severed Entity con?rmed that the Complainant has since returned the subject referral letter to the facility. To mitigate the effects of the incident and prevent similar incidents ?om occurring in the ?rture, the responsible department within the Covered Entity?s facility has ceased the process of mailing referral letters to patients. Additionally, the employee responsible for the disclosure has been sanctioned in accordance with the Covered Entities sanction policies. As part of this investigation, OCR reviewed the Covered Entity?s policies and procedures regarding the safeguards it has in place to prevent the impermissible use and disclosure of PHI. OCR con?rmed that appropriate safeguards are in place to prevent the impermissible use and disclosure of PHI and that this particular incident was the result of unintentional human error. OCR did not ?nd any evidence to substantiate the Complainant?s claim that such incidents occur at the Covered Entity?s facility on a regular basis. Consequently, all matters raised by this compiaint at the time it was ?led have now been resolved through the voluntary compliance actions and mitigation efforts of the Covered Entity. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Jamie Rahn Ballay, Investigator, at (215) 861 41432. Sincerely, ara J. Holland Regional Manager