Voice- (404} 5624335, (800) 368-1019 TDD - {404) 5624834. {300} 53?-?69? (FAX) (404) 5624831 November 2011 {bll?llbl?'llcl HIPAA Privacy Of?cer Member Services Department Kaiser Foundation Health Plan of Georgia, Inc. Nine Piedmont Center 3495 Piedmont Road, NE Atlanta, Georgia 30305-1736 Re: {Wibmm v. Kaiser Permanente OCR Transaction Number: 1 1-129624 a Dear and {m DEPARTMENT OF HUMAN SERVICE OFFICE or THE SECRETARY Of?ce for Civil Rights, Region IV 61 Street, SW. Atlanta Federal Center, Suite 16T70 Atlanta, GA 30303-3909 On July 9, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health Information 45 CPR. Privacy Rule). Speci?cally, Complainant, its 160 and 164, Subparts A and E, the amendment to his medical records was denied when he sent a written request to member of the covered entity?s workforce, on January He further allees that he continued to call the covered entity and tried to reach alleges that his right to request an a 2011, and did not receive a res onse. supervisor, and did not receive a response even though he followed the covered. entity?s process to request an amendment. These allegations could re?ect violations of 45 C.F.R. ?164.526(a) and 45 C.F.R. respectively. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. The Privacy Rule states that an individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set for as long as the PHI is maintained in the designated record set. See 45 GER. Additionally, the Privacy Rule mandates that a covered entity must have in place a procedure, in which individuals may make a complaint against the covered entity. See 45 GER. 1 64. 53 0699(1). On September 20, 2011, OCR noti?ed Kaiser Permanente of the complaint allegations ?led aainst it by Complainant. In a written response to request for information, Privacy Of?cer, re - orted that the covered entity conducted a full investigation into the allegations raised by The covered entity included in its report a full summary of its internal investigation, which af?rmed the allegations raised by Complainant. Speci?cally, the covered entity reported that it failed to respond tore nest to amend his records from January 3 2011. However, OCR independently investigated a llegations and based on a review of the entire record, we found that the evidence indicated concerns of noncompliance on the part of Kaiser Permanente. As a result of its ?nding, OCR instructed the covered entity to reapond to amendment request. The covered entity provided OCR with a written acceptance letter that was sent to MSW) on October 26, 2011. This letter contained all of the necessary elements that are required by the HIPAA Privacy Rule under 45 C.F.R. Since the CE followed the administrative requirements of the Privacy Rule when it accepted request, its acceptance would be allowed under the Privacy Rule. In light of ?nding, the covered entity provided OCR with written assurance of the following corrective action to address the indicated areas of noncompliance: the covered entity responded to request to amend his record. Further, the covered entity retrained its sta? members on appropriate handling of amendment requests on October 27, 20] 1. Based on the reported actions taken by the covered entity, all matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of the covered entity. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. OCR only reviewed the evidence submitted pertinent to resolving the issues raised in the complaint. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact John Bailey, Investigator, at (404) 562-? 866 (Voice) or (404) 562-7884 (TDD). Sincerely, sevelt 111% Regional Manager