DEPARTMENT OF HEALTH 3r. HUMAN SERVICES OFFICE OF THE SECRETARY
Voice (612) 565-1340, (300) 368-1019, TDD 565- 1343, (300) 532-769?

 

 

 

FAX (617) 565-3809, (mice for Civil Rights, Region I
JFK Federal Building, Room 1875
Government Center
AUG 2 0 2011' Boston. MA 02203-0002
I
Privacy Of?cer

Director of Health Information Management
Brattleboro Retreat

P.O. Box 803

Brattleboro, VT 05302

Our Reference Number 13-] 76758

 


Dear (C)

 

 

 

On September 4, 2013, the US. Department of Health and Human Services (HHS), Office for
Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for
Privacy of Individually Identi?able Health Information andfor the Security Standards for the
Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A,
C, and E, the Privacy and Security Rules). Speci?cally, the complaint alleges that since the
implementation of an electronic health records system at Brattleboro Retreat (Brattleboro) on
February 12, 2013, there has been no security awareness or training for staff; there has been a
failure to establish access authorization; failure to establish minimum necessary; and failure to
establish unique user identi?er. These allegations could implicate possible violations of

45 C.F.R. 
and 

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which
prohibit discrimination in the delivery of health and human services because of race, color,
national origin, disability, age, and under certain circumstances, sex and religion.

On March 19, 2014, OCR notified Brattleboro of the complaint. Brattleboro responded to OCR,
and documented the scourity related processes and policies that had been put in place, and the
steps that had been taken by Brattleboro to assure security of their electronic records system.

Brattleboro worked with their electronic medical record (EMR) vendor, Netsmart, to design a
system to support policies and procedures relating to the protection of patient health information
and to enable minimum necessary access to the system. A three-tiered login access login is
required to access the EMR. Each user must have the appropriate System Code, User ID and
Password to access the EMR. Features included in this login include unique user passwords for
each staff member with minimum password strength, forced resetting of passwords; automatic

Page 2 13?176758

deactivation upon failed login attempts; and forced logout after a de?ned period of user
inactivity. A Role?based security system is in place to limit user access to only the portions of a
patient?s health record that is applicable to the individual?s staff role and job function.

Mandatory security training was required of all employees prior to being issued a network
account to access any of Brattleboro?s information systems. New employees are required to take
this training upon hire. Prior to implementation of the EMR system, all staff were provided with
training on the proper use of their unique user IDs, password maintenance, the automatic logoff
security feature and requirements regarding accessing the system.

A Risk Analysis team was formed and is meeting on a regular basis for the purpose of
completing a full formal updated Risk Analysis of all systems and processes related to protected
health information. This full Risk Analysis is scheduled to be complete by August, 2014. In
addition a Security Awareness Group was formed and tasked with the responsibility of
reassessing the management of security and privacy of protected health information. This
group, of which the Privacy Officer is a member, meets quarterly.

All matters raised by this complaint at the time it was ?led have now been resolved through the
voluntary compliance actions of Brattleboro Retreat. Therefore, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identifies individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Vicki Kaufman, Investigator, at 617-565-1344 (Voice),
617-565-1343 (TDD).

Sincerely,

Em no ?id W)

Susan M. Pezzullo Rhodes
Regional Manager

 

 

DEPARTMENT OF HEALTH HUMAN SERVICES
Voice (617) 565-1340, (300) 363-l0l9, TDD (617) 565- 1343, [300} 
FAX (617) 565-3309, 

OFFICE OF THE SECRETARY

 

(mice l'or Civ? Rights, Region I
JFK Federal Building, Room 1875
Government Center

Boston, MA 022113-0002

AUG 2 2014

Anonymous, Anonymous
Anonymous

Our Reference Number 13?176758
Dear Anonymous:

On September 4, 2013, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for
Privacy of Individually Identi?able Health Information anda?or the Security Standards for the
Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A,
C, and E, the Privacy and Security Rules). Speci?cally, the complaint alleges that since the
implementation of an electronic health records system at Brattleboro Retreat (Brattleboro) on
February 12, 2013, there has been no security awareness or training for staff; there has been a
failure to establish access authorization; failure to establish minimum necessary; and failure to
establish unique user identi?er. These allegations could implicate possible violations of

45 C.F.R. 
and 

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which
prohibit discrimination in the delivery of health and human services because of race, color,
national origin, disability, age, and under certain circumstances, sex and religion.

On March 19, 2014, OCR noti?ed Brattleboro of the complaint. Brattleboro responded to OCR,
and documented the security related processes and policies that had been put in place, and the
steps that had been taken by Brattleboro to assure security of their electronic records system.

Brattleboro worked with their electronic medical record (EMR) vendor, Netsmart, to design a
system to support policies and procedures relating to the protection of patient health information
and to enable minimum necessary access to the system. A three-tiered login access login is
required to access the EMR. Each user must have the appropriate System Code, User ID and
Password to access the EMR. Features included in this login include unique user passwords for
each staff member with minimum password strength; forced resetting of passwords; automatic

Page 2 l3-l?6?58

deactivation upon failed login attempts; and forced logout after a de?ned period of user
inactivity. A Role-based security system is in place to limit user access to only the portions of a
patient?s health record that is applicable to the individual?s staff role and job function.

Mandatory security training was required of all employees prior to being issued a network
account to access any of Brattleboro?s information systems. New employees are required to take
this training upon hire. Prior to implementation of the EMR system, all staff were provided with
training on the proper use of their unique user IDs, password maintenance, the automatic logoff
security feature and requirements regarding accessing the system.

A Risk Analysis team was formed and is meeting on a regular basis for the purpose of
completing a full formal updated Risk Analysis of all systems and processes related to protected
health information. This full Risk Analysis is scheduled to be complete by August, 2014. In
addition a Security Awareness Group was formed and tasked with the responsibility of
reassessing the management of security and privacy of protected health information. This
group, of which the Privacy Of?cer is a member, meets quarterly.

All matters raised by this complaint at the time it was ?led have now been resolved through the
voluntary compliance actions of Brattleboro Retreat. Therefore, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Vicki Kaufman, Investigator, at 617-565-1344 (Voice),
617-565-1343 (TDD).

Sincerely,

gut/L 54C ?audit/:3

Susan M. Pezzullo Rhodes
Regional Manager