?mveb? DEPARTMENT OF HEALTH 8.: HUMAN SERVICES OFFICE OF THE SECRETARY

 

Voice- (215) 8614441 Of?ce for Civil Rights, Region 
TDD {215) 861-4440 150 5. Independence Mall West

FAX - {215) 361-4431 Public Ledger Building, Suite 372
Philadelphia, PA 19106-3499

Reference: 13- 15921 1
Investigator: Alisha Welch
Contact Telephone: 215-851-4439
July 23, 2013

 



 

 

 

 

I'Ibllelibl'lfl'lcl I

Kaiser Pemanente
2101 E. Jefferson St.
Rockville, MD 20852

{Dii?l {bilillcl

 

 

Dear

 

 

 

On April 1, 2013, the Department of Health and Human Services (HHS), Office for Civil Rights
(OCR) received a complaint alleging that Kaiser Permanente (?Covered Entity?) is not in
compliance with the Federal Standards for Privacy of Individually Identi?able Health
Information andfor the Security Standards for the Protection of Electronic Protected Health
Information (45 CPR. Parts 160 and 164, Subparts C, and E, the Privacy and Security Rules).
Speci?cally, ?Complainant?) alleges that his l. crevices: (?Affected
Party was removed om his account, and that another child lbw? (?Affected Party
was added to his account. After this error was corrected, Affected Party A?s medical
records were merged with Affected Party B?s records. When the Complainant logged on to his
account, he was able to view Affected Party B?s protected health infonnation. These allegations
could represent violations of 45 CPR. 164.502(a) [impermissible uses and disclosures] and 45
C.F.R. 164.530(c) [administrative, technical, and physical safeguards] of the Privacy Rule.

 

OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit
discrimination in the delivery of health and human services because of race, color, national
origin, disability, age, and under certain circumstances, sex and religion.

On May 23, 2013, OCR noti?ed the Covered Entity of the complaint.

In a correspondence dated June 14, 2013, the Covered Entity provided OCR with a written
explanation of the circumstances surrounding this complaint. Affected Party A was removed
from the Complainant?s policy in error. When the Complainant brought the error to the Covered
Entity?s attention, Affected Party A was added back to the policy and assigned a new medical
record number. His former medical record number was assigned to Affected Party B. However,
the Covered Entity failed to disassociate Affected Party A's protected health information ?om
his old medical record number. The Complainant was able to view medical records associated

 

 

with both medical record numbers, including Affected Party B?s information. There is no
evidence that Affected Party B?s parents were able to view Protected Party A?s protected health
information.

The Covered Entity provided OCR with written assurance of the following: the Affected Parties?
medical records were separated on April 12, 2013. The Covered Entity contacted the
Complainant to confirm that he is no longer able to view Affected Party B?s protected health
mforrnation when he logs on to his account. The Complainant continued to OCR that the issues
have been satisfactorily resolved.

All matters raised by this complaint at the time it was ?led have now been resolved through the
voluntary compliance actions of the Covered Entity. Therefore, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Alisha Welch, at (215) 861-443 9.

Sincerely,

Barbara J. Holland
Regional Manager