Mme DEPARTMENT OF HEALTH HUMAN SERVICES Of?ce Of the Sauetaw Voice - {312) 836-2359, {800) 368-1019 TDD - [312] 353-5693, {800) 537-?69? Fax - (31 2) 336-180? Of?oe for Civil Rights. Region 233 N. Michigan Ave.. Suite 2: Chicago. IL 60601 September 30, 2013 {bli?iibl?kcl OCR Transaction Number: 11*123886 Dear On February 10, 2011, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), received your complaint alleging that St. Louis VA Medical Center, Belleville Clinic (St. Louis VA), the covered entity, has violated the Federal Standards for Privacy of Individualiy Identifiable Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, you allege Ithe St. Louis VA impermissiny disclosed your protected health information (PHI) when (biieubiinici and {bieiibiinici of the St. Louis VA discussed your PHI, including mental health information, with your mother, without your authorization to do so _in the Clinic's waiting room with other individuals present, and when libiisiibimici and disclosed your PHI, including mental health information, to he Ill'nois Department of Children and Family Services (IDCFS) after you asked @?Wbimici and thy they were permitted to disclose your PHI to your mother. You allege Icontacted IDCFS in what you believed was retaliation for having brought up HIPAA. This allegation could reflect a violation of 45 C.F.R. 164.510 and Thank you for bringing this matter to attention. Your complaint plays an integral part in OCR's enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces the Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. A covered entity may not use or disclose protected health information except as permitted or required by the Privacy Ruie. As long as an individual does not object, a covered entity is allowed to share or discuss with the individual?s family, friends, or other persons identi?ed by the individual the protected health information that is directly relevant to such person?s involvement with the individual?s care or payment for care. The covered entity may ask the individual?s permission, may teil the individual that the covered entity plans to discuss the information and give the individual an opportunity to object, or may decide, using the covered entity's professional judgment, that the individual does not object. However, in any of these cases, the covered entity may discuss My the information that the person involved needs to know about the individual?s care or payment for their care. The minimum necessary provision of the Privacy Rule also requires the covered entity to limit access to protected health information by identifying the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and conditions appropriate to such access. Finally, a covered entity must provide a process for individuals to make complaints concerning the covered entity's policies and procedures required by the Privacy Rule or its compliance with such policiesand procedures or with the requirements of the Privacy Rule. 45 C.F.R. 164.530 On June 14, 2011, OCR noti?ed St. Louis VA of this complaint. On August 10, 2011, St. Louis VA provided a written response to OCR, along with supporting documentation. On February 8, 2012, OCR requested additional information from St. Louis VA. On February 13, 2012, St. Louis VA provided additional information and documentation to OCR. We have carefully reviewed the information gathered related to your complaint against St. Louis VA and have determined to resolve this matter informally through the provision of technical assistance to St. Louis VA. Should OCR receive a similar allegation of noncompliance against St. Louis VA in the future, OCR may initiate a formal investigation of that matter. For your informational purposes, OCR has enclosed material explaining the Privacy Rule provisions related to Disclosures to Family and Friends, the Minimum Necessary Requirement, and Reasonable Safeguards. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Nicholas Brescia, J.D., Investigator, at (312) 886-5079 (Voice) or (312) 353?5693 or (202) 619-3257 (TDD). - Sincerely, W79 Celeste H. Davis Regional Manager Enclosure: Disclosures to Family and Friends The Minimum Necessary Requirement Reasonable Safeguards DISCLOSURES To FRIENDS AND FAMILY 4s C.F.R. 164.510(b) The Privacy Rule does not require a health care provider or health plan to share information with a patient?s family or friends, unless they are the patient?s personal representatives. The law does permit providers and plans to share information with a patient?s family or friends in certain circumstance. A health care provider or health plan may share relevant information with family members or friends involved in the patients health care or payment for the patient?s health care, if the patient tells the provider or plan that it can do so, or if the patient does not object to sharing of the information. For example, if the patient does not object, the patient?s doctor could talk with the friend who goes with the patient to the hospital or a family member who pays the patient?s medical bill. A provider or plan may also share relevant information with these persons if, using its professional judgment, it believes that the patient does not object. For example, if a patient sends a friend to pick up your prescription for the patient, the pharmacist can assume that the patient does not object to their being given the medication. When the patient is not there or is injured and cannot give their permission, a provider may share information with these persons when it decides that doing so would be in the patient?s best interest. WW Q: Does the HIPAA Privacy Rule permit a doctor to discuss a patient?s health status, treatment, or payment arrangements with the patient's family and friends? . A: Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) speci?cally permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identi?ed by a patient, in the patient?s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on their professional judgment, that the patient does not object. Under these circumstances, for example: a A doctor may give information about a patient's mobility limitations to a friend driving the patient home from the hospital. A hospital may discuss a patient?s payment options with her adult daughter. a A doctor may instruct a patient?s roommate about proper medicine dosage when she comes to pick up her friend from the hospital. . A physician may discuss a patient?s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room. .- Even when the patient is not present or it is impracticable because of emergency circumstances 'or the patient?s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR Thus, for example: A surgeon may, if consistent with such professional judgment, inform a patient?s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient's progress and prognosis. A doctor may, if consistent with such professional judgment, discuss an incapacitated patient?s condition with a family member over the phone. In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient?s best interests in allowing another person to act on behalf of the patient to pick up a ?lled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identi?es by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so. If the patient is not present or is incapacitated, may a health care provider still share the patient's health information with family, friends, or others involved in the patient?s care or payment for care? Yes. If the patient is not present or is incapacitated, a health care provider may share the patient's information with family, friends, or others as long as the health care provider determines, based on professional judgment, that it is in the best interest of the patient. When someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care. The health care provider may discuss only the information that the person involved needs to know about the patient?s care or payment. Here are some examples: A surgeon who did emergency surgery on a patient may tell the patient?s spouse about the patient?s condition while the patient is unconscious. A pharmacist may give a prescription to a patient's friend who the patient has sent to pick up the prescription. A hospital may discuss a patient?s bill with her adult son who calls the hospital with questions about charges to his mother's account. A health care provider may give information regarding a patient?s drug dosage to the patient's health aide who calls the provider with questions about the particular prescription. BUT: . A nurse may n_ot tell a patient?s friend about a past medical problem that is unrelated to the patient?s current condition. a A health care provider is n_ot required by HIPAA to share a patient?s information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure. HIPAA Privacy Rule Disclosures to a Patient's Family, Friends, or Others Involved in the Patient's Care or Payment for Care Family Member or F?end Other Persons Patient is present and has the capacity to make health care decisions Provider may disclose relevant information if the provider does one of the following: (1)0btain the patient's agreement; (2)Gives the patient an opportunity to object and the patient does not object; (3)Decides from the circumstances, based on professional judgment, that the patient does not object Disclosure may be made in person, over the phone, or in writing Provider may disclose relevant information if the provider does one of the following: (1)0btain the patient?s agreement; (2)Gives the patient an opportunity to object and the patient does not object; (3) Decides from the circumstances, based on professional judgment, that the patient does not object Disclosure may be made in person, over the phone, or in writing Patient is not present or is incapacitated Provider may disclose relevant information if, based on professional judgment, the disclosure is in the patient's best interest. Provider may disclose relevant information if the provider is reasonably sure that the patient has involved the person in the patient's care and in his or her professional judgment, the provider believes the disclosure to be in the patient?s best Disclosure may be made interest. in person, over the phone, or in writing. Disclosure may be made in person, over the phone, Provider may use or in writing. professional judgment and experience to decide if it Provider may use is in the patient?s best professional judgment and interest to allow someone experience to decide if it to pick up ?lled is in the patient?s best prescriptions, medical interest to allow someone supplies, X-rays, or other to pick up ?lled similar forms of health prescriptions, medical information for the supplies, X-rays, or other patient. similar forms of health information for the patient. THE MINIMUM NECESSARY REQUIREMENT 45 C.F.R. 164.502(b) and 164.514(d) Background The minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived from con?dentiality codes and practices in common use today. It is based on sound current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. The Privacy Rule's requirements for minimum necessary are designed to be suf?ciently ?exible to accommodate the various circumstances of any covered entity. How the Rule Works The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to the following: Disclosures to or requests by a health care provider for treatment purposes. Disclosures to the individual who is the subject of the information. Uses or disclosures made pursuant to an individual's authorization. Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simpli?cation Rules. - Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes. Uses or disclosures that are required by other law. The implementation speci?cations for this provision require a covered entity to develop and implement policies and procedures appropriate for its own organization, reflecting the entity's business practices and workforce. While guidance cannot anticipate every question or factual application of the minimum necessary standard to each speci?c industry context, where it would be generally helpful we will seek to provide additional clari?cation on this issue in the future. In addition, the Department will continue to monitor the workability of the minimum necessary standard and consider proposing revisions, where appropriate, to ensure that the Rule does not hinder timely access to quality health care. Uses and Disclosures of, and Requests for, Protected Health Information For uses of protected health information, the covered entity?s policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and conditions appropriate to such access. For example, hospitals may implement policies that permit doctors, nurses, or others involved in treatment to have access to the entire medical record, as needed. Case-by-case review of each use is not required. Where the entire medical record is necessary, the covered entity's policies and procedures must state so explicitly and include a justi?cation. For routine or recurring requests and disclosures, the policies and procedures may be standard protocols and must limit the protected health information disclosed or requested to that which is the minimum necessary for that particular type of disclosure or request. Individual review of each disclosure or request is not required. For non-routine disclosures and requests, covered entities must develop reasonable criteria for determining and limiting the disclosure or request to only the minimum amount of protected health information necessary to accomplish the purpose of a nonvroutine disclosure or request. Non-routine disclosures and requests must be reviewed on an individual basis in accordance with these criteria and limited accordingly. Of course, where protected health information is disclosed to, or requested by, health care providers for treatment purposes, the minimum necessary standard does not apply. Reasonable Reliance In certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request. This reliance is permitted when the request is made by: . A public of?cial or agency who states that the information requested is the minimum necessary for a purpose permitted under 45 CFR 164.512 of the Rule, such as for public health purposes (45 CFR . Another covered entity. 0 A professional who is a workforce member or business associate of the covered entity holding the information and who states that the information requested is the minimum necessary for the stated purpose. - A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board. The Rule does not require such reliance, however, and the covered entity always retains discretion to make its own minimum necessary determination for disclosures to which the standard applies. We Q: How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose? A: The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose. To allow covered entities the ?exibility to address their unique circumstances, the Rule requires covered entities to make their own assessment of what protected health information is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers and plans today to limit the unnecessary sharing of medical information. The minimum necessary standard requires covered entities to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to protected health information. It is intended to re?ect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities wiil utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately limit access to personal health information without sacri?cing the quality of health care. Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, 0r request of an entire medical record? If not, are case-by?case justi?cations required each time the entire medical record is disclosed? No. The Privacy Rule does not prohibit the use, disclosure, or request of an entire medical record; and a covered entity may use, disclose, or request an entire medical record without a case-by-case justi?cation, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes. For uses, the policies and procedures would identify those persons or classes of person in the workforce that need to see the entire medical record and the conditions, if any, that are appropriate for such access. Policies and procedures for routine disclosures and requests and the criteria used for non- routine disclosures and requests would identify the circumstances under which disclosing or requesting the entire medical record is reasonably necessary for particular purposes. The Privacy Rule does not require that a justification be provided with respect to each distinct medical record. Finally, no justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment purposes or disclosUres to the individuai who is the subject of the protected health information. In limiting access, are covered entities required to completely restructure existing workflow systems, including redesigning office Space and upgrading computer systems, in order to comply with the HIPAA Privacy Rule's minimum necessary requirements? No. The basic standard for minimum necessary uses requires that covered entities make reasonable efforts to limit access to protected health information to those in the workforce that need access based on their roles in the covered entity. The Department generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. However, covered entities may need to make certain adjustments to their facilities to minimize access, such as isolating and locking ?le cabinets or records rooms, or providing additional security, such as passwords, on computers maintaining personal information. Covered entities should also take into account their ability to con?gure their record systems to allow access to only certain ?elds, and the practicality of organizing systems to allow this capacity. For example, it may not be reasonable for a small, solo practitioner who has largely a paper-based records system to limit access of employees with certain functions to only limited ?elds in a patient record, while other employees have access to the complete record. In this case, appropriate training of employees may be suf?cient. Alternatively, a hospital with an electronic patient record system may reasonably implement such controls, and therefore, may choose to limit access in this manner to comply with the Privacy Rule. Reasonable Safeguards 45 C.F.R. 164.530 A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. See 45 C.F.R. ?164.530 It is not expected that a covered entity?s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients? privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the ?nancial and administrative burden of implementing particular safeguards. Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals? health information - for instance: By speaking quietly when discussing a patient's condition with family members in a waiting room or other public area; . By avoiding using patients' names in public hallways and elevators, and posting signs to remind employees to protect patient con?dentiality; . By isolating or locking ?le cabinets or records rooms; or a By providing additional security, such as passwords, on computers maintaining personal information. Protection of patient con?dentiality is an important practice for many health care and health information management professionals; covered entities can build upon those codes of conduct to develop the reasonable safeguards required by the Privacy Rule.