??vrcq_ 0. MM. m4.? f. DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY Voice {404} 552-7886. {800} 368-1019 Of?ce for Civil Rights, Region IV TDD- (404) 562-?384. {300] 53135597 61 Street. 5. W. (FAX) - (404} 5523351 Atlanta Federal Center, Suite 387? h?p Atlanta? GA 30303_39?9 August 2011 Ms. Leslie V. Shaffer, CHP, CHSS Director TMA Privacy and Civil Liberties Of?ce Of?ce of the Assistant Secretary of Defense Health Affairs Skyline 5, Suite 310 5111 Leestrg Pike Falls Church, VA 22041-3206 Re: v. Blanch?eld Army Community Hospital Reference number: 1 1-126333 Dear{ Ms. Shaffer: On 03f31f2011, the US. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) received a complaint alleging that Blanch?eld Army Community Hospital is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information anda?or the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). IComplainant, alleges that Blanchfield Army Community Hospital violated his privacy On that date, {biteltbl a human resources staff member, requested a copy of 10401401? protected health information, which the hospital provided to her despite the fact that she did not have authorization or a legitimate work related reason to access the information. These allegations could reflect violations of 45 CPR. 164.502(a) and respectively. The Privacy Rule states that a covered entity may not use or disclose protected health information except as permitted er required by the Privacy Rule. See 45 C.F.R 164.502 The Privacy Rule also mandates that a covered entity must have in place appropriate administrative, technical and physical safeguards to protect the privacy of protected health information. See 45 C.F.R. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. On June 7, 2011, OCR noti?ed Leslie V. Shaffer, Director of Privacy and Civil Liberties, of the complaint against Blanch?eld Army Community Hospital (hereinafter, Speci?cally, we sent the facility a written request for evidence asking that they provide us with a statement detailing the results of their intemal investigation of allegations. We also requested a copy of the Army?s policies and procedures relating to safeguards and impermissible uses and disclosures of protected health information (hereinafter, Finally, we requested documentation showing that the BACH staff, speci?cally was retrained or sanctioned on the aforementioned provisions of the Privacy Rule if it was ultimately determined that a violation occurred. Ms. Shaffer responded to written request for information on behalf of EACH on July 15, 2011. In her response, she submitted copies of the requested policies and procedures and gave OCR written assurances that the Army previously investigated allegations after he ?rst brought the matter to their attention in November 2010. Speci?cally, she told OCR that their investigation con?rmed that BACH had, in fact, disclosed a portion of PHI, speci?cally his medical pro?le slip, to At no point was entire medical record disclosed to her. According to Ms. Shaffer, BACH disclosed (Wimblle PHI to (bl (?61 ecause she needed a pro?le of his medical history to inform his commander, ?3%)be of his ?tness for duty. As the Chief of Military Personnel and Assistant to the Commander, job function requires her to receive PHI as it relates to military functions. A copy of .{bltiltcl ljob description, as well as the Department of Defense?s Federal Register notice regar mg appropriate disclosures of PHI for members of the armed forces to assure proper execution of the military mission, were provided to OCR for our review. We have reviewed the matter raised in the complaint. Based on our review of the facts and circumstances of this matter, we have determined that BACH did not impermissiny disclose PHI to in this instance. Under the Privacy Rule, ?a covered entity may not use or disclose protected health information, except as permitted or required by [the Rule].? See 45 CF However, ?a covered entity may use and disclose the PHI of Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if tire appropriate military authority has pubiished by notice in the Federal description of] the appropriate military command authorities and the purposes for which the PHI may be used or disclosed.? See 45 CFR In this case, Ms. Shaffer con?rmed allegation that BACH disclosed his PHI to However, she asserted that BACH disclosed that information to for the purpose of reporting his ?tness for duty to his Commander, a reSponsibility out me 1n her job description. review of the federal register notice BACH submitted to our of?ce revealed that both and qualify as appropriate military command authorities to whom disc osures can be mae to I etermine members? ?tness for duty, a purpose for which PHI may be disclosed. Given that disclosed PHI for the purpose of making a ?tness for duty determination, on activity deemed necessary to assure the proper execution of the mission, to an appropriate military command authority, in conjunction with the fact that the required notices were published in the ederai Register, this action does not constitute a violation of the Privacy Rule. Therefore, OCR is closing this matter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals Or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Akara Whiten Smith, Investigator, at (404) 562-7189 (Voice), (404) 562-7834 (TDD). Sine ely, oosevelt.Free an Regional Manager