ugmu?'4#



OFFICE OF THE 
Of?ce for Civil Rights, Region 
233 N. Michigan Ave, Suite 240
ChicaquI IL 6060!

DEPARTMENT OF HEALTH HUMAN SERVICES
voice - (312) 835?2359

mu - {312} 353-5693

- {312} castes?

(.

September 25, 2012

 



 

 

 

 

 



 

 

Privacy Of?cer
Marsh?eld Clinic

1000 North Oak Avenue
Marsh?eld, WI 54449

 

Re: - v. Marsh?eld, Clinic
OCR Transaction Number: 11-123544
Dear 

 

 

 

On January 15, 2011, the U.S. Department of Health and Human Services HHS), Of?ce for
Civil Rights (OCR), Region V, received a complaint ?led by alleging that
Marsh?eld Clinic (Marsh?eld), the covered entity, has violated the Federal Standards for Privacy
of Individually Identifiable Health Information andfor the Security Standards for the Protection
of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E,
the Privacy and Security Rules). Speci?cally, alleges that on or around November 12,
2010, Maish?eld sent a account statement that contained his name, account
information, detailed serdees, and physicians? names to the wrong address. According to

both Marsh?eld and the recipient con?rmed that the recipient read the document.

However,  expressed concern that Marsh?eld accepted the recipient?s assertion that he
threw the document awrsay, without attempting to retrieve it. These allegations could re?ect
violations of 45 C.F.R 164.502(a) and 164.530(c) and of the Privacy Rule.

OCR enforces the Privacy and Security Rules, and the Breach Noti?cation Rule, and also
enforces Federal civil rights laws which prohibit discrimination in the delivery of health and
human services because of race, color, national origin, disability, age, and under certain
circumstances, sex and religion.

OCR has reviewed the matters raised in this complaint. On January 19, 2012, OCR noti?ed
Marsh?eld of the complaint. On February 2012, OCR received Marsh?eld?s response to its
investigation, along with supporting documentation. Based on our review of the facts and
circumstances of this matter, OCR, had determined that all matters raised by this complaint at the
time it was filed have now been resolved by the voluntary compliance actions of Marsh?eld.

 

 

 

Page 2

In its response, acknowledged that it had erroneously sent account

statement to his stepdaughter?s bioloical father on November 12, 2010, According to

Marsh?eld, the biolo'cal father of stepdaughter called to schedule an appointment

his daughter, on November 9, 2010. Marsh?eid further explained that, at this time,

was listed on family account, even though her primary residence was with her
biological father, and Misarsh?eld historically listed children on the account of the parent with
whom they shared a primary residence, Marsh?eld also explained that the empioyee, who
responded to the call, manually keyed a change of address in error, and without following its
proper veri?cation of patient identi?cation procedures.I

 

The Privacy Rule prohibits a covered entity from using or disclosing PHI, except as permitted or
required by one of its pro?sions. 45 CPR. The Privacy Rule also requires that a
covered entity maintain reasonabie and appropriate administrative, technical, and physical
safeguards to prevent intentional or unintentional use or disclosure of PHI. 45 CPR. 
A covered entity must also mitigate, to the extent practicable, any harmful effect
that is known to the covered entity of an impermissible use or disclosure of PHI in vie-?aticn of
its policies and procedures or the requirements of the Privacy Rule. 45 CPR. 164.5306].

In this caste, Marsh?eld acknowledged that its employee?s failure to follow its pro - veri?cation
procedures before making an address change resulted in an errant disclosure of PHI.
To resolve the issues raised in this matter and prevent future similar incidents, Marsh?eld
reported taking the following voluntary actions: 1) correctedl?bgi?lwn _farnily account address
on November 18, 2010; 21) issued a verbal warning on November 29, 2010, to the Appointment
Coordinator who made the error and re-educated her on the proper process of veri?cation prior
to changing addresses; 3) contacted the recipient to attempt to retrieve the document on
December 14, 2010;2 4) apologized to ina telephone and offered to place a password on
his account number on January 1 1, 2011; and 5) educated customer service staff in anuary 2011
on the proper protocoi when speaking with unintended recipients of PHI and reminded staff to
send a self-addressed stamped envelope to callers so that they can return the PHI.

 

Marsh?eld also reported that pursuant to the Breach Notification Rule, it sent a breach
noti?cation letter to on December 14, 2010 and reported the breach. to HHS on
February 23, 2011, In addition, Marsh?eld reported that it made changes to the patient
demographics module in its electronic medical record software suite to more clearly delineate
account members and provided documentation indicating that it had offered this Meaninng Use
related training to staff, and onljne.

 

I Marsh?eld?s ?Veri?cation of Patient Identification? policy states that its purpose is  protect
panents against medical identity theft and to ensure that patient demographic iniionnation is

being accurately collected and recorded in the electronic medical record and on patient
accounts.?

2 According to Marsh?eid, the recipient indicated the document had already been discarded.

 

 

 

 

Page 3

Based on the foregoing, OCR is closing this case without ?thher action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter arr-.2 
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Felicia Clay, OCR Investigator, at
(312) 886-5078 (Voice) or (312) 3536693 (TDD).

Sincerely,

.. fig/7%

Celeste H, Davis
Regional Manager