?ance; ,0
he 



DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY

 

Mir
dist 

 

 

 

 

 

Voice - {212) 264-3313, (300) 368-1019 Of?ce for Civil Rights, Region 
TDD - {212) 264-2355, (800) 537-?69? Jacob Javits Federal Building
(FAX) - (212) 254-3039 26 Federal Plaza, Suite 3312
cor.Ir New York, NY 10278
(blt?itbimtci
OCR Transaction Number: 14-17573?


Dear

 

 

 

On February 4, 2014, the US. Department of Health and Human Services (HHS), Office
for Civil Rights (OCR), received your complaint alleging that Lyons VA Hospital located
in Lyons, New Jersey, the covered entity, has violated the Federal Standards for
Privacy of Individually Identi?able Health Information andlor the Security Standards for
the Protection of Electronic Protected Health lnfon'nation (45 C.F.R. Parts 160 and 164,
Subparts A, C, and Emmandjecurity Rules). Speci?cally, you allege that on
December 16, 2013, i provided your medication re?ll request

paperwork that contained our name, address, date of birth, social security number, and


 

 

 

prescription history to' along with a copy of his medical records.'This
allegation could mailed a we a ten 0 45 C.F.R. 164.502(a) and and



Thank you for bringin this matter to attention. Your complaint is an integral part
of OCR's enforcement efforts.

 

OCR enforces the Privacy, Security, and Breach Notification Rules, and also Federal
civil rights laws which prohibit discrimination in the delivery of health and human
services because of race, color, national origin, disability, age, and under certain
circumstances, sex and religion.

A covered entity may not use or disclose an individual?s protected health information
(PHI) without an authorization unless permitted or required by the Privacy Rule. In
addition, a covered entity must maintain reasonable and appropriate administrative,
technical, and physical safeguards to prevent intentional or unintentional use or
disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and
disclosure pursuant to otherwise permitted or required use or disclosure.

We are pleased to inform you that your complaint in this matter has been resolved.
Lyons VA Hospital has taken the following steps toward coming into compliance with
the Privacy Rule:

1. On January 29, 2014, Lyons VA Hospital retrieved the complainant?s re?ll
request paperwork from 
2. Apologized to the complainant for the incident.

 

 

 

 

 

 

 

b6,bi? 


 

 

 

As part of its investigation, OCR has provided Lyons VA Hospital with guidance to
comply with the Privacy Rule. Speci?cally, Lyons VA Hospital will take the following
steps to comply with the Privacy Rule:

1. Conduct an internal investigation regarding the incident;
2. Based on the findings of the internal investigation take the following actions
a. Retrain staff that disclosed the complainant?s medication re?ll request
papenrvork with respect to uses and disclosures of 
b. Determine whether sanctioning staff is appropriate;
c. As required by the Breach Noti?cation Rule, conduct a risk assessment of the
impermissible disclosure to determine whether it constitutes a breach
i. If appropriate, notify the complainant
ii. Report the breach incident to HHS using the online breach reporting
tool found at 
Document the impermissible disclosure of the complainant?s PHI in
hisfher record for accounting of disclosure purpose
iv. Account the incident in the patient's records
v. Determine appropriate actions to mitigate the incident

For your informational purposes, OCR has enclosed material regarding the Privacy Rule
provisions related to reasonable safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the
date of this letter.

Under the Freedom of Information Act, we may be required to release this letter and
other information about this case upon request by the public. In the event OCR receives
such a request, we will make every effort, as permitted by law, to protect information
that identifies individuals or that, if released, could constitute a clearly unwarranted
invasion of personal privacy.

If you have any questions regarding this matter, please contact Robert Chirila,

Investigator, by email at robert.chirila@hhs.gov or by telephone at (212) 264-8900

(Voice), or (212) 264-2355 (TDD). Thank you for bringing this matter to our attention
Sin rely,



da C. Coldn
Regional Manager

Enclosure: Reasonable Safeguards

 

 

 

page 3 of 3_ (misiimniic)

Reasonable Safeguards
45 C.F.R. 164.530 

A covered entity must have in place appropriate administrative, technical, and physical
safeguards that protect against uses and disclosures not permitted by the Privacy Rule,
as well as that limit incidental uses or disclosures. See 45 C.F.R. ?164.530 It is not
expected that a covered entity?s safeguards guarantee the privacy of protected health
information from any and all potential risks. Reasonable safeguards will vary from
covered entity to covered entity depending on factors, such as the size of the covered
entity and the nature of its business. In implementing reasonable safeguards, covered
entities should analyze their own needs and circumstances, such as the nature of the
protected health information it holds, and assess the potential risks to patients' privacy.-
Covered entities should also take into account the potential effects on patient care and
I may consider other issues, such as the ?nancial and administrative burden of
implementing particular safeguards.

Many health care providers and professionals have long made it a practice to ensure
reasonable safeguards for individuals? health information for instance:

By speaking quietly when discussing a patient?s condition with famin members in
a waiting room or other public area;

By avoiding using patients? names in public hallways and elevators, and posting
signs to remind employees to protect patient con?dentiality;

. By isolating or looking ?le cabinets or records rooms; or

. By providing additional security, such as passwords, on computers maintaining
personal information.

Protection of patient confidentiality is an important practice for many health care and
health information management professionals; covered entities can build upon those
codes of conduct to develop the reasonable safeguards required by the Privacy Rule.

 

 

it

gut-m
'i *Jya

a,

a 
{ultimo

Ms.
VHA Privacy Implementation Cocrdinat
lnfonnation Access and Privacy Of?ce-I

 

5 51?! ICE 5 .
13? 0?31

2.

OFFICE OF THE SECRETARY

Of?ce for Civil Rights, Region [1
Jacob Javits Federal Building
26 Federal Plaza, Suite 3312
New York, NY 10278

DEPARTMENT OF HEALTH HUMAN SERVICES

Voice - {212) 264-3313. (300) 363-1019
TDD - {212) 264-2355, {soc} 537-7697
- {212} 264-3039


Andrea Wilson, RHIA, crap, CIPPIG 0 '7 21114

(DEB) (bit?)

 

Department of Veterans Affairs-Veterans Health Administration
810 Vermont Ave, NW
Washington DC 20420

OCR Transaction Number: 14-17573?

Dear Ms. Wilson:

On

February 4, 2014, the US. Department of Health and Human Services (HHS), Of?ce for

Civil Rights (OCR), received a complaint alleging that Lyons VA Hospital located in Lyons.
New Jersey, the covered entity, has violated the Federal Standards for Privacy of Individually
Identifiable Health lnfonnation andror the Security Standards for the Protection of Electronic
Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C. and E, the Privacy

 

and Security Rules). complainant) alleges that on December 16,
2013. lli?mli?im?Cl  provided her medication re?ll request paperwork that contained her

 

name, address, date of birth, social security number, and prescription history to
along with a copy of his medical records. This allegation could reflect violations of 
164.502(a) and and respectively.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil
rights laws which prohibit discrimination in the delivery of health and human services because
of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

A covered entity may not use or disclose an individual?s protected health information (PHI)
without an authorization unless permitted or required by the Privacy Rule. In addition. a
covered entity must maintain reasonable and appropriate administrative, technical, and
physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation
of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise
permitted or required use or disclosure.

OCR is pleased that Lyons VA Hospital has taken the following steps toward coming into
compliance with the Privacy Rule:

1. On January 29, 2014, Lyons VA Hospital retrieved the complainant?s re?ll request
paperwork from Mr. Frank Kiernan.
2. Apologized to the complainant for the incident.

 

 

 

 

Page 2 of 2- Ms. Andrea Wilson

OCR has determined that the following corrective actions are needed to bring Lyons VA
Hospital into compliance with HIPAA:

1. Conduct an internal investigation regarding the incident;
2. Based on the ?ndings of the internal investigation take the following actions
a. Retrain staff that disclosed the complainant's medication refill request paperwork
with respect to uses and disclosures of 
b. Determine whether sanctioning staff is appropriate;
0. As required by the Breach Notification Rule, conduct a risk assessment of the
impermissible disclosure to determine whether it constitutes a breach
i. If appropriate, notify the complainant
ii. Report the breach incident to HHS using the online breach reporting tool
found at 
Document the impermissible disclosure of the complainant?s in hislher
record for accounting of disclosure purpose
iv. Account the incident in the patient?s records
v. Determine appropriate actions to mitigate the incident

Please note that, after a period of six months has passed, OCR may initiate and conduct a
compliance review of Lyons VA Hospital related to your compliance with the Privacy and
Breach Noti?cation Rules.

Based on the foregoing. OCR is closing this case without further action. effective the date of
this letter. OCR's deten'nlnation as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identifies
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Robert Chirila, Investigator, by
email at robert.chirila@hhs.dov or by telephone at (212) 264-8900 (Voice), or (212) 264-2355
(TDD). Thank you for bringing this matter to our attention

Sin rely,

Q08 

a C. Colon
Regional Manager