slum
an a,

f?m?e
4?


August 6, 2013

 

OFFICE OF THE SECRETARY

for Civil Rights, Region 
2.33 N. Michigan Ave, Suite 240
Chicago, IL 6060]

DEPARTMENT OF HEALTH HUMAN SERVICES
voice - (312} 336-2359

TDD (312) 353-5693

(FAX) - {312) 333-133?

(bii?iinTiiCi Privacy Of?cer
Mars ie - mm

1000 North Oak Avenue
Marshfield, WI 54449

Re: OCR Transaction Number: 12-13626-4-

Dear {bii?iibiifiici 

On December 12, 2011, the US. Department of Health and Human Services (HHS), Of?ce
for Civil Rights (OCR), received a complaint alleging that Marshfield Clinic, the covered
entity, has violated the Federal Standards for Privacy of Individually Identifiable Health
Information andfor the Security Standards for the Protection of Electronic Protected Health
Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security
Rules). Speci?cally, the complainant alleges that, between July 1 and September 15, 2011,
lof Marshfield Clinic at the Mosinee Center, impermissiny accessed the
complainant?s protected health information without a need to do so. This allegation could
re?ect a violation of 4S C.F.R. 164.502(a) and 

OCR enforces the Privacy, Security, and Breach Notification Rules, and also Federal civil
rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

A covered entity must maintain reasonable and appropriate administrative, technical, and
physical safeguards to prevent intentional or unintentional use or disclosure of PHI in
violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to
otherwise permitted or required use or disclosure. 45 C.F.R. 

OCR is pleased that, Marsh?eld Clinic has taken the following steps toward coming into
compliance with the Privacy Rule: investigated the complainant's allegations, ran an audit
report of the complainant's medical record, and sent the complainant letters dated
November 18 and 21, 2011, documenting the results of Marsh?eld Clinic?s investigation.

Please note that, after a period of six months has passed, OCR may initiate and conduct a
compliance review of Marsh?eld Clinic related to your compliance with Reasonable
Safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that

 

Page 2

identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of
personal privacy.

If you have any questions regarding this matter, please contact Alyce Hilden, Investigator,
at (312) 353?9683 (Voice) or (312) 

Sincerely,

a;

Celeste H. Davis
Regional Manager

 

omen.

?le in.


DEPARTMENT OF HEALTH HUMAN SERVICES
Voice - (312) 836-2359

TDD - (312) 353-5693

(FAX) - (312) 883-180?

mm

233 N. Michigan Ave, Suite 240
Chicago, IL 60601

August 6, 2013

 



 

 

 

Re: OCR Transaction Number: 12-136264

Dear (blisnbiin

On December 2, 2011, the U.S. Department of Health and Human Services (HHS), Office for
Civil Rights (OCR), received your complaint alleging that Marshfield Clinic, the covered
entity, has violated the Federal Standards for Privacy of Individually Identifiable Health
Information andjor the Security Standards for the Protection of Electronic Protected Health
Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Securi
Rules). Specifically, you allege that, between July 1 and September 15, 2011,

{bile}. Marshfield Clinic at the Mosinee Center, impermissibly accessed your protected

health information without a need to do so. This allegation could reflect a violation of 45

C.F.R. 164.502(a) and 

Thank you for bringing this matter to attention. Your complaint is an integral part of
OCR's enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil
rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

A covered entity must maintain reasonable and appropriate administrative, technical, and
physical safeguards to prevent intentional or unintentional use or disclosure of PHI in
violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to
otherwise permitted or required use or disclosure. 45 C.F.R. 

We are pleased to inform you that your complaint in this matter has been resolved.
Specifically, on November 18 and 21, 2011, Marsh?eld Clinic sent you letters documenting
the results of its investigation, ran an audit report of your medical record, and advise you
that it found that only accessed your records in February 2011, for services he
provided to you on February 1, 2011.

For your informational purposes, OCR has enclosed material regarding the Privacy Rule
provisions related to Reasonable Safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a

OFFICE OF SECRETARY
Office for Civil Rights, Region 

 

 

Page 2

request, we will make every effort, as permitted by law, to protect information that
identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of
personal privacy.

If you have any questions regarding this matter, please contact Alyce Hilden, Investigator,
at (312) 353-9638 (Voice) or (312) 

Sincerely,

Celeste H. Davis

Regional Manager

Enclosure: Reasonable Safeguards

 

Reasonable Safeguards
45 C.F.R. 164.530 

A covered entity must have in place appropriate administrative, technical, and physical
safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as
well as that limit incidental uses or disclosures. See 45 C.F.R. ?164.530 It is not
expected that a covered entity's safeguards guarantee the privacy of protected health
information from any and all potential risks. Reasonable safeguards will vary from covered
entity to covered entity depending on factors, such as the size of the covered entity and the
nature of its business. In implementing reasonable safeguards, covered entities should
analyze their own needs and circumstances, such as the nature of the protected health
information it holds, and assess the potential risks to patients' privacy. Covered entities
should also take into account the potential effects on patient care and may consider other
issues, such as the financial and administrative burden of implementing particular
safeguards.

Many health care providers and professionals have long made it a practice to ensure
reasonable safeguards for individuals' health information - for instance:

By speaking quietly when discussing a patient's condition with family members in a
waiting room or other public area;

By avoiding using patients? names in public hallways and elevators, and posting signs
to remind employees to protect patient confidentiality 

By isolating or locking file cabinets or records rooms; or

a By providing additional security, such as passwords, on computers maintaining
personal information.

Protection of patient con?dentiality is an important practice for many health care and health
information management professionals; covered entities can build upon those codes of
conduct to develop the reasonable safeguards required by the Privacy Rule.