4 some ?all Is. DEPARTMENT OF HEALTH HUMAN SERVICES Of?ce ofthe Secretary Voice - (312) 886-2359, [800} 368-1019 TDD (312) 353-5693, (300) Fax - {312) 8864 80? hhsgoviocr Office for Civil Rights, Region 233 N. Michigan Ave, Suite 240 Chicago, IL 6?601 January 31, 2014 {bit?iibit?filCl Our Transaction Number: 11-12843!) {Cl Dear On May 24, 2011, the U.S. Department of Heaith and Human Services (HHS), Of?ce for Civil Rights (OCR), received your complaint alleging that the Department of Veterans Affairs- Veterans Health Administration {Vi-lit), the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information andjor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 150 and 164, Subparts A, C, and E, the Privacy and Security Rules). Specifically, you allege that, on April 23, 2011, the John D. Din Medical Center Pharmac failed to safeguard the PHI of your brother, when it mailed to Ethel?) Ivia United Parcel Service (UPS) two boxes of Coiolast Self Cath in packaging that displayed the contents and clearly identi?ed doctor as This allegation could re?ect a violation of 45 C.F.R. Thank you for bringing this matter to attention. Your complaint is an integral part of enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent lntentionai or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. 45 C.F.R. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes. In situations where a patient has requested that the covered entity communicate with him in a con?dential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post of?ce box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR uses and disclosures!198.html) However, changing a UPS sticker is not feasible or a reasonable accommodation that can be made. We have carefully reviewed your complaint against the VHA and have determined to resolve this matter informally through the provision of technical assistance to the VHA. Should OCR receive a similar allegation of noncompliance against the VHA in the future, OCR may initiate a formal investigation of that matter. For your informational purposes, OCR has enclosed material regarding the Privacy Rule provisions related to Safeguards. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Felicia Clay, Investigator, at 312-886-50?8 (Voice) or (312) 353?5693, (800) Sincerely, 15% Celeste H. Davis Regional Manager Enclosure: Reasonable Safeguards Reasonable Safeguards 45 C.F.R. 164.530 A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. See 45 C.F.R. ?164.530 It is not expected that a covered entity's safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients? privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the ?nancial and administrative burden of implementing particular safeguards. Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals' health information - for instance: - By speaking quietly when discussing a patient?s condition with family members in a waiting room or other public area; - By avoiding using patients' names in public hallways and elevators, and posting signs to remind employees to protect patient con?dentiality; By isolating or locking ?le cabinets or records rooms; 0r By providing additional security, such as passwords, on computers maintaining personal information. Protection of patient con?dentiality is an important practice for many health care and health information management professionals; covered entities can build upon those codes of conduct to develop the reasonable safeguards required by the Privacy Rule. . . r5" 5: a 4's at ill-?Hire DEPARTMENT OF HEALTH 6: HUMAN SERVICES Of?ce of the Smart g. ?lth Voice - {312) 866-2359, (600} 368-1019 Of?ce for Civil Rights, Region TDD - (312) 353-6693. (806) 53?-?697 233 N. Michigan Ave, Suite 246 Fax - (312) 886-160? Chicago, IL 60601 httg?unvw. hhs.govlocr January 31, 2014 Ms. Andrea Wilson, RHIA, CIPP, VHA Privacy Implementation Coordinator Information Access and Privacy Of?ce- 10P2C1 Department of Veterans Affairs-Veterans Health Administration 810 Vermont Ave., NW Washington DC 20420 Our Transaction Number: 11-128430 Dear Ms. Wilson: On May 24, 2011, the US Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), received a complaint from, alleging that the Department of Veterans Affairs?Veterans Health Administration (VHA), the covered entity, has violated the Federal Standards for Privacy of Individually Identifiable Health Information and/or the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subpa E, the Privacy and Security Rules). Specifically, Ileges that the John D. Dineil VA Medical Center Pharmac failed to safeguard the PHI of her brother, when it mailed to via United Parcel Service (UPS) two boxes of Coloplast Self Cath in packaging that displayed the contents and clearly identified doctor as VA-af?liated. This allegation could reflect a violation of 45 C.F.R. OCR enforces the Privacy, Security, and Breach Notification Rules, and also Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. In this matter, the complainant alleges that the covered entity does not employ reasonable safeguards to prevent impermissible disclosures of protected health information (PHI). A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. 45 C.F.R. In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the of?ce rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR has determined to resolve this matter informally through the provision of technical assistance to the VHA. To that end, OCR has enclosed material explaining the Privacy Rule provisions related to Reasonable Safeguards. You are encouraged to review these materials closely and to share them with your staff as part of the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your workforce. You are also encouraged to assess and determine whether there may have been any noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to ensure such noncompliance does not occur in the future. In addition, OCR encourages you to review the facts of this individual's complaint and provide the individual the appropriate written response swiftly if necessary to comply with the requirements of the Privacy Rule. Should OCR receive a similar allegation of noncompliance against the VHA in the future, OCR may initiate a formal investigation of that matter. In addition, please note that, after a period of six months has passed, OCR may initiate and conduce a compliance review of the VHA related to your compliance with the Privacy Rule?s provisions related to Reasonable Safeguards. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. OCR's determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Felicia Clay, Investigator, at 312-886-50?8 (Voice) or (312) 353-5693, (800) 537-?69? (TDD). Sincerely, rut?mf- ear?r- Celeste H. Davis Regional Manager Enclosure: Reasonable Safeguards Reasonable Safeguards 45 C.F.R. 164.530 A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. See 45 C.F.R. ?ll-34.530 It is not expected that a covered entity's safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients? privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards. Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals' health information for instance: 0 By speaking quietly when discussing a patient's condition with family members in a waiting room or other public area; - By avoiding using patients? names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality; By isolating or locking ?le cabinets or records rooms; or a By providing additional security, such as passwords, on computers maintaining personal information. Protection of patient confidentiality is an important practice for many health care and health information management professionals; covered entities can build upon these codes of conduct to develop the reasonable safeguards required by the Privacy Rule.