0 ?Mega



DEPARTMENT OF HEALTH 3: HUMAN SERVICES OFFICE OF THE 

 

Voice- {215) 851-4441 Of?ce for Civil Region 
TDD {215) 3614440 150 S. Independenca Hall West
FAX - {215) 351-4431 Public Ledger Building, Suite 

Philadelphia, PA 19106-3499

Reference: 168363
Investigator: Elizabeth Benson
Contact Telephone: 2 15?861-4427

November 6, 2013

 



 

 

 

 

OCR Transaction Number: 168363

Dear 

On October 9, 2013, the U.S. Department of Health and Human Services (HHS), O?ice for Civil
Rights (OCR), received your complaint alleging that the VA Pittsburgh Healthcare System, the
covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health
Information andfor the Security Standards for the Protection of Electronic Protected Health
Information (45 C.F.R. Parts 160 and 164, Suhparts A, C, and E, the Privacy and Security
Rules). Speci?cally, you allege that on September 27, 2013, patients in the blood draw room
were asked to provide their name and social security number and this information could be
overheard by other patients in the area. This allegation could re?ect a violation of 45 CPR. 


Thank you for bringing this matter to attention. Your complaint is an integral part of
enforcement efforts. 

OCR enihrces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

A covered entity must maintain reasonable and appropriate administrative, technical, and
physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation
of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted
or required use or disclosure. 45 C.F.R. For example, such safeguards might
include shredding documents containing protected health information before discarding them,
securing medical records with lock and key or pass code, and limiting access to keys or pass
codes.

We have carefully reviewed your complaint against the VA Pittsburgh Healthcare System and
have determined to resolve this matter informally through the provision of technical assistance to
the covered entity. Should OCR receive a similar allegation of noncompliance against the VA

 

 

Pittsburgh Healthcare System in the future, OCR may initiate a formal investigation of that
matter.

For your informational purposes, OCR has enclosed material regarding the Privacy Rule
provisions related to Safeguards.

Based on the foregoing, OCR is closing this case without ?nther action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Elizabeth Benson, Investigator, at 215*
861-4427 (Voice), 215-861-4440 (TTY).

Sincerely,

Barbara J. Holland
Regional Manager

Enclosure: Reasonable Safeguards

 

a?

n1. ?wm?



 

DEPARTMENT OF HEALTH 8.: HUMAN SERVICES OFFICE OF THE SECRETARY

 



Voice- (215} 361-4441 Office for Civil Rights, Region 
TDD - (215) 361-4440 150 S. Independence Hall West
FAX (215) 861-4431 Public Ledger Building, Suite 372
Philadelphia, PA 19106-3499

Reference: 163363

Investigator: Elizabeth Benson

Contact Telephone: 215-861-442?

November 6, 2013

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

VHA Privacy Implementation Coordinator

Information Access and Privacy omce- 

Department of Veterans Affairs-Veterans Health Administration
810 Vermont Ave, NW

Washington DC 20420

Dear Ms. Wilson:

The US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR),
received a complaint alleging that the VA Pittsburgh Healthcare System, the covered entity, has
violated the Federal Standards for Privacy of Individually Identi?able Health Information andfor
the Security Standards for the Protection of Electronic Protected Health Information [45 C.F.R.

Subparts A, C, and E, the Privacy and Security Rules). The complainant,
{bii-Biibimibj alleges that on September 27, 20i3, staff failed to implement appropriate

 

safeguards. Speci?cally, the complainant alleges that during triage in the blood draw area,
patients are asked to provide their social security number and the information can be overheard
by other patients in the area. This allegation could reflect a violation of 45 C.F.R. 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

In this matter, the complainant alleges that the covered entity does not employ reasonable
safeguards to prevent impermissible disclosures of protected health information (PHI). A
covered entity must maintain reasonable and appropriate administrative, technical, and physical
safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the
Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or
required use or disclosure. 4S C.F.R, 

Pursuant to its authority under 45 C.F.R. 160.304{a) and OCR has determined to resolve
this matter informally through the provision of technical assistance to VA Pittsburgh Healthcare
System. To that end, OCR has enclosed material explaining the Privacy Rule provisions related
to Reasonable Safeguards.

 

You are encouraged to review these materials closely and to share them with your staff as part of
the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been any
noncompliance as alleged by the complainant in this matter, and, if so, to take the steps
necessary to ensure such noncompliance does not occur in the future. In addition, OCR
encourages you to review the facts of this individual?s complaint and provide the individual the
appropriate written response swiftly if necessary to comply with the requirements of the Privacy
Rule. Should OCR receive a similar allegation of noncompliance against VA Pittsburgh
Healthcare System in the ?rture, OCR may initiate a formal investigation of that matter. In
addition, please note that, after a period of six months has passed, OCR may initiate and conduct
a compliance review of VA Pittsburgh Healthcare System related to your compliance with the
Privacy Rule?s provisions related to Reasonable Safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
prrvacy.

If you have any questions regarding this matter, please contact Elizabeth Benson, Investigator, at
215-861-4427 (Voice), 215-861-4440 CIT Y). 

Sincerely,

Barbara J. Holland
Regional Manager

 

Enclosure: Reasonable Safeguards