4? 1 Office of the Secretary :1 a a . it?s-m Voice - (404) 562-?836. {800) 368-1019 Of?ce for Civil Rights. Region IV TDD - (404) 562-7884, (800) Atlanta Federal Center. Suite Fax {404} 5623381 16T70 61 Street, SW. Atlanta, GA 39303 May 25, 2012 Itbii?ixtbimtci I Industricare 10616 Metromont Pkwy Suite 102 Charlotte, NC 23269 RE: ,{bm?imm? v. Industricare Reference No: 12-13521]r and Dear incubators) On November 21, 2011, the Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint from ?bli51?bli73i?l alleging non-compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Sub-parts A, C, and E, the ?Privacy and Security Rules?) and the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of Unsecured Protected Health Information (45 I C.F.R. Complainant alleged that his medical records were disclosed to a co-worker withouauthorization. These allegations could constitute violations of the Privacy Rule. See 45 C.F.R. and OCR enforces the Privacy, Breach Noti?cation and the Security Rules, and also enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and, under certain circumstances, sex and religion. The Privacy Rule states that a covered entity may not use or disclose protected health information except as permitted or required by the Privacy Rule. See 45 C.F.R The Privacy Rule also mandates that a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. See 45 CPR. On April 13, 2012, OCR noti?ed Industricare of the privacy complaint filed by and requested certain documents and information related to the facts alleged. On May 11, 2012, Industrieare provided a detailed response to the allegations, along with its HIPAA training materials, provisions of its personnel manual, and its con?dentiality policies, and various other policies related to this matter. From our review of the relevant documents and allegations, it appears that Complainant works as a crew member on US. Airways. During a ?ight, the crew experienced a cabin-odor event, which required testing each crew member subsequent to the ?ight. Complainant?s test were faxed to his employer, and were intended to be faxed to Complainant. Due to a technical error related to lndustricare?s of?ce equipment, the fax was sent to one of the other crew members in error. It appears that due to the reporting of the cabin-odor event, lndustricare was authorized to make limited disclosures pursuant to 45 CPR. (workplace surveillance). However, the technical error that resulted in a disclosure to the other crew member was an impermissible disclosure. In response to this event, a contractor was called out to recon?gure the facsimile equipment. Further, to prevent a repeat of these events, Industrieare adopted a policy of sending its lab results to employees by certi?ed mail, and no longer using email. These measures appear to be reasonable safeguards to prevent reoccurrence of the events giving rise to Complaint. Accordingly, the matters raised by this complaint at the time it was filed appear to have now been resolved through the voluntary compliance action of lndustricare. Therefore, OCR is closing this case. - determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. OCR only reviewed the evidence of record pertinent to resolving the issues raised by you in the aforementioned complaint. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Elliott Schwalb at (404) 562?2790 (Voice), or (404) 562-7884 (TDD). Sincerely, Roosevelt Freeman Regional Manager