4?s for. Hillary-4 gum-Ital?! .4, DEPARTMENT OF HEALTH HUMAN SERVICES 0m? 0f the secretary Voice - (404) 5624386. (300} sea-1019 TDD - (404) 562-7884, (soc) Fax - {404) 562-7831 Of?ce for Civil Rights, Region Atlanta Federal Center, Suite 16170 61 Street, SW. Atlanta. GA 30303 June 25, 2012 Mr. John H. Morse Acting Director TMA Privacy and Civil Liberties Of?ce TRICARE Management Activity Privacy Of?ce Skyline Five, Suite 310 5111 Leesburg Pike Falls Church, VA 22041-3 206 Re: vs. Blanch?eldArm Communit Hos ital OCR Transaction Number: 1 22963 Dear and Mr. Morse: On March 16, 2010, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of Unsecured Protected Health Information (45 CPR. Speci?cally, the complaining party, Ialleges that the covered entity, Blanch?eld Army Community Hospital, inrperrnissibly used her PHI when after calling into work provided her employer with a sick leave sli . . After not being able to verify the slip, her employer called her provider to verify whether saw the provittedii?lislIbi'iili'sJ Iclaims her employer accessed her medical records to verify the sick leave slip. is both an employee and a patient of Blanch?eld Army Hospital. These allegations could re?ect violations of 45 C.F.R. andl respectively. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion, The Privacy Rule states that a covered entity may not use or disclose protected health information, except as permitted or required by the Privacy Rule. See 45 CPR The Privacy Rule states, in part, that a covered entity must identify those persons or classes of persons, as appropriate, in its workforce who need access to PHI to carry out their duties; for each such person or class of persons, the category or categories of PHI to which access is needed and any conditions appropriate to such access; and a covered entity must make reasonable efforts to limit the access of such persons or classes to PHI consistent with the requirements of this provision. See 45 C. .13. The Privacy Rule mandates that a covered entity must have in place appropriate administrative, technical and physical safeguards to protect the privacy of protected health information. See 45 CFR. On March 7, 2011, OCR noti?ed Blanch?eld Army Community Hospital of the complaint ?led by OCR began its investigation by clarifying the complaint and then contacting the covered entity for information. Through this process, OCR obtained information relevant to making a determination as to whether Blanch?eld Army Community Hospital violated the Privacy Rule in the manner alleged in the complaint. In a written response to request for information, John Morse, Acting Director for the covered entity, reported that the covered entity conducted a full investigation of allegations and initially denied those allegations. Speci?caily, Blanch?eld Army Community Hospital provided written evidence means of witness statements that employees of the covered entity investigated sick leave slip for the purpose of determining if the sick leave slip was valid or invalid and not to discuss medical care. All three witness statements provided that at no time was protected health information discussed. However, OCR provided technical assistance to the covered entity and informed Blaneh?eld Anny Community Hospital that a violation occurred as alleged. OCR informed the covered entity that this is not a permissible basis to contact Complainant?s provider to verify the validity of the leave slip without a valid authorization. Medical information was impermissiny used, because the provider veri?ed not only the validity of the leave slip, but also veri?ed that Complainant was a patient who was seen on the day in question, which would be considered protected health information. Pursuant to independent investigation of the matter, the covered entity made an effort to voluntarily comply with the Privacy Rule by sanctioning the offending workforce member in a manner consistent with its policies and procedures. Additionally, during the course of the investigation, OCR found that the covered entity was in violation of the Privacy Rule for failing to have appropriate policies and procedures in place. This ?nding was based on a review of the entire evidentiary record compiled pursuant to the Complainant?s claim. In light of ?nding, the covered entity provided OCR with written assurance of the following corrective action to address the breach: the covered entity developed appropriate poiicies and procedures, and will provide ongoing training to new hires. OCR analyzed the newly developed and implemented policies and procedures and found no areas of noncompliance with the Privacy Rule. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of Blanch?eld Army Community Hospital. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. OCR only reviewed the evidence submitted pertinent to resolving the issues raised in the complaint. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact John Bailey, Investigator, at (404) 5623866 (Voice), or (404) 562-7884 (TDD). Sin erely, Roosevelt Freeman Regional Manager