some DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY ]voice-? (215) 861-4441 Offica for Civil Rights, Region TDD - (215)361?4440 150 5. Independence Hall West FAX (2 15) 551-4431 Public Ledger Building, Suite 3?2 W.h Philadelphia, PA 19106-3499 Reference: 13-164036 Investigator: Jamie Rahn Ballav Contact Telephone: 215-861-4432 March 17, 2014 {bli?libliiliCl Director, Privacy and Civil Liberties O??ice TMA Privacy and Civil Liberties Of?ce 7700 Arlington Boulevard, Falls Church, VA 220426101 Dear On August 5, 20I3, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received this complaint alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for theProtection of Electronic Protected Health Information (45 CPR. Parts ion and 164, Subparts A, C, and E, the Privacy and Speci?cally, the Complainant, alleges that that on July 24, 2013, an employee of the Washington Navy Yard Branch Health Clinic (the Covered Entity), impermissiny disclosed his protected health information (PHI) to his employers when she faxed his medical referral to a day supervisor at the Complainant?s place of employment. These allegations could represent violations of 45 C.F.R. ?164.502(a) [impermissible us'esr?disclosures] and ?164.530(c) [safeguards] of the Privacy Rule. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. investigation revealed that the Complainant is a civilian police of?cer at the Covered Entity?s facility. In May of 2013, the Complainant was due for his annual medical surveillance certi?cation. The Complainant?s preliminary screening at the Covered Entity?s facility showed abnormal results, which required the Complainant to follow up with his civilian medical provider. According to Iii-?li?ilii?liilicl Ian occupational health nurse at the Covered Entity?s facility, she attempted to contact the Complainant regarding these results and the need for him to follow-up with his civilian physician on several occasions, but was ultimately unsuccessful in reaching the Complainant. On July 24, 2013, called dwinenisnr at the Complainant?s place of employment. The day supervisor informed {bj'?jw'm?j that the Complainant works the night shift, and suggested tliatlimimm'imm Ifax him any information for the Cornplainant so that he could place the information 111 Complainant?s private mailbox. In response, Washed her secretary, to fax the Complainant?s referral form and test results to the day supervisor, who received the fair and placed it in the Complainant?s mailbox. Based on this information, OCR ?nds the Complainant?s allegations to be substantiated. In response to this incident, the Covered Entity counseled and regarding the impermissible disclosure of the Complainant?s PHI. Additionally, I was required to complete additional HIPAA training. Finally, the Covered Entity sent a letter of apology to the Complainant regarding this incident. Consequently, OCR ?nds that all matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions and mitigation efforts of the Covered Entity. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Jamie Rahn Ballay, Investigator, at (215) 361-4432. Barbara J. Holland Regional Manager