OFFICE OF THE SECRETARY ?54. "it, DEPARTMENT OF HEALTH HUMAN SERVICES If Voice - (312) 386-2353 Of?ce for Civil Rights, Region a TDD - (312} 353-5693 233 N. Michigan Ave, Suite 240 it - (3121 sac-13w Chicago, IL 60601 hhsgow?ocn? July 30, 2012 Andrea Wilson, VHA Privacy Of?ce (10P2C1) Health Information Governance Department of Veterans Affairs 810 Vermont Ave, NW. Washington, DC 20420 ?lial?) v. Clement J. Zablocki VA Medical Center OCR Transaction Number: 12-14142] Re: Dear Ms. Wilson: 011 March 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), Region V, received a complaint from . the complainant, alleging that Clement J. Zablocki VA Medical Center (VAMC), the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?call leges that, following his August 201 hoSpitalization at VAMC, a VAMC employee in the dental clinic and the biological mother of {bllsilbllillci child, impermissiny used his rotected health information (PHI is accessing his medical records without a business purpose. {bii?libiim ?u'ther alleges that contacted him on a patient phone in the hallway of the ward where he was being treated, and questioned the reasons for his hospitalization, citing PHI contained in his medical record. According to libiei'ibtiicl Isubsequently disclosed his PHI to a child welfare agency and ?led a motion in family court, detailing his PHI. These allegations could re?ection violations of 45 C.F.R. and 164.530(c) of the Privacy Rule. - OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces the Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. Pursuant to the Privacy Rule, a covered entity may not use or disclose PHI except as permitted or required by the Privacy Rule. 45 C.F.R. The Privacy Rule also requires that a covered entity have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. 45 C.F.R. Pursuant to its authority under 45 C.F.R. 160.3 04(a) and OCR has determined to resolve this matter informally through the provision of technical assistance to VAMC. To that end, OCR 2 has enclosed material explaining the Privacy Rule provisions related to the Minimum Necessary Requirement, and Reasonable Safeguards. It is our expectation that you will review these materials closely and share them with your staff as part of the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your workforce. It is also our expectation that you will assess and determine whether there may have been an incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to ensure such noncompliance does not occur in the future. Please contact OCR if you need further information regarding the allegations in this matter. Should OCR receive a similar allegation of noncompliance against VAMC in the future, OCR may initiate a formal investigation of that matter. Based on the forgoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Alessandra Swanson, Equal Opportunity Specialist, at (312) 353-5946 (Voice) or (312) 353-5693 (TDD). Sincerely, dam/Mm Celeste H. Davis Regional Manager Enclosures: The Minimum Necessary Requirement Reasonable Safeguards Page 3 THE MINIMUM NECESSARY REQUIREMENT 4s C.F.R. 164.502(b) and 164.514(d) Background The minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived from con?dentiality codes and practices in common use today. It is based on sound current practice that PHI should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI. The Privacy Rule's requirements for minimum necessary are designed to be suf?ciently ?exible to accommodate the various circumstances of any covered entity. How the Rule Works The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to the following: ?r Disclosures to or requests by a health care provider for treatment purposes. . Disclosures to the individual who is the subject of the information. Uses or disclosures made pursuant to an individual's authorization. 4: Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simpli?cation Rules. Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes. Uses or disclosures that are required by other law. The implementation speci?cations for this provision require a covered entity to develop and implement policies and procedures appropriate for its own organization, re?ecting the entity?s business practices and workforce. While guidance cannot anticipate every question or factual application of the minimum necessary standard to each speci?c industry context, where it would be generally helpful we will seek to provide additional clarification on Page 4 this issue in the future. In addition, the Department will continue to monitor the workability of the minimum necessary standard and consider proposing revisions, where appropriate, to ensure that the Rule does not hinder timely access to quality health care. Uses and Disclosures of, and Requests for, PHI For uses of PHI, the covered entity?s policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. For example, hospitals may implement policies that permit doctors, nurses, or others involved in treatment to have access to the entire medical record, as needed. Case-by-case review of each use is not required. Where the entire medical record is necessary, the covered entity's policies and procedures must state so explicitly and include a justi?cation. For routine or recurring requests and disclosures, the policies and procedures may be standard protocols and must limit the PHI disclosed or requested to that which is the minimum necessary for that particular type of disclosure or request. Individual review of each disciosure or request is not required. For non- routine disclosures and requests, covered entities must develop reasonable criteria for determining and limiting the disclosure or request to only the minimum amount of PHI necessary to accomplish the purpose of a non- routine disclosure or request. Non-routine disclosures and requests must be reviewed on an individual basis in accordance with these criteria and limited accordingly. Of course, where PHI is disclosed to, or requested by, health care providers for treatment purposes, the minimum necessary standard does not apply. Reasonable Reliance In certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request. This reliance is permitted when the request is made by: A public of?cial or agency who states that the information requested is the minimum necessary for a purpose permitted under 45 CFR 164.512 of the Rule, such as for public health purposes (45 CFR . Another covered entity. Page 5 . A professional who is a workforce member or business associate of the covered entity holding the information and who states that the information requested is the minimum necessary for the stated purpose. - A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board. The Rule does not require such reliance, however, and the covered entity always retains discretion to make its own minimum necessary determination for disclosures to which the standard applies. Fr el i Q: How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose? A: The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the Rule requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers and plans today to limit the unnecessary sharing of medical information. The minimum necessary standard requires covered entities to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to PHI. It is intended to re?ect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately limit access to personal health information without sacri?cing the quality of health care. . Page 6 Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time the entire medical record is disclosed? No. The Privacy Rule does not prohibit the use, disclosure, or request of an entire medical record; and a covered entity may use, disclose, or request an entire medical record without a case-by-case justi?cation, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identi?ed purposes. For uses, the policies and procedures would identify those persons or classes of person in the workforce that need to see the entire medical record "and the conditions, if any, that are appropriate for such access. Policies and procedures for routine disclosures and requests and the criteria used for non-routine disclosures and requests would identify the circumstances under which disclosing or requesting the entire medical record is reasonably necessary for particular purposes. The Privacy Rule does not require that a justi?cation be provided with respect to each distinct medical record. Finally, no justi?cation is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment purposes or disclosures to the individual Who is the subject of the PHI. In limiting access, are covered entities required to completely restructure existing work?ow systems, including redesigning of?ce space and upgrading computer systems, in order to comply with the HIPAA Privacy Rule's minimum necessary requirements? No. The basic standard for minimum necessary uses requires that covered entities make reasonable efforts to limit access to PHI to those in the workforce that need access based on their roles in the covered entity. - The Department generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. However, covered entities may need to make certain adjustments to their to minimize access, such as isolating and Page 7 locking ?le cabinets or records rooms, or providing additional security, such as passwords, on computers maintaining personal information. Covered entities should also take into account their ability to con?gure their record systems to allow access to only certain ?elds, and the practicality of organizing systems to allow this capacity. For example, it may not be reasonable for a small, solo practitioner who has largely a paper-based records system to limit access of employees with certain functions to only limited ?elds in a patient record, while other employees have access to the complete record. In this case, appropriate training of employees may be suf?cient. Alternatively, a hospital with an electronic patient record system may reasonably implement such controls, and therefore, may choose to limit access in this manner to comply with the Privacy Rule. Page 8 Reasonable Safeguards 45 C.F.R. 164.530 A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. See 45 C.F.R. It is not expected that a covered entity's safeguards guarantee the privacy of PHI from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the PHI it holds, and assess the potential risks to patients? privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the ?nancial and administrative burden of implementing particular safeguards. Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals? health information for instance: . By speaking quietly when discussing a patient's condition with family members in a waiting room or other public area: - By avoiding using patients? names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality; . By isolating or locking ?le cabinets or records rooms; or . By providing additional security, such as passwords, on computers maintaining personal information. Protection of patient con?dentiality is an important practice for many health care and health information management professionals; covered entities can build upon those codes of conduct to develop the reasonable safeguards required by the Privacy Rule. DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY Voice - 1:312} 33e2353 Of?ce for Civil steels tense-e TDD 4312) 333-3333 232: N. Michigan -. - (FAX) - (3:21. 333-130? Chicago, 1L 6060! .hhs. July 30, 2012 {blt?lxibltillcl Re: . Clement J. Zablochlgi v.3. Medical Center OCR Transaction Number: 12-14142] Deal. {bli?libliillcl On March 2012, the Department of Health and Human Services (HHS), O?ice for Civil Rights (OCR), Region V, received your complaint alleging that Clement J. Zablocki VA Medical Center (V AMC), the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Irlfonnation (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, you allege that, following your August 2011 hospitalization at I a VAMC employee in the dental clinic and the biological mother of your child, impermissiny used your protected health information HI) by accessing your medical records without a business purpose. You fm'ther allege that contra-?tter? on a patient phone in the hallway of the ward where you were being treated, and questioned the reasons for your hospitalization, citing PHI contained in your medical record. Finally, you allege that subsequently disclosed your PHI to a child welfare agency and ?led a motion in family court, detailing your PHI. These allegations could re?ection violations of 4S C.F.R. and 164.530(c) of the Privacy Rule. Thank you for bringing this matter to attention. Your complaint plays an integral part in enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces the Federal civil rights laws 1which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. A covered entity may not use or disclose PHI except as permitted or required by the Privacy Rule. 45 C.F.R. The minimum necessary provision of the Privacy Rule Fill?!? requires the covered entity to limit access to PHI by identifying the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. 45 (113.19.. The Privacy Rule also requires that a covered entity have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. 45 C.F.R. Page 2 We have carefully reviewed your complaint against VAMC and have determined to resolve this matter informally through. the provision of technical assistance to VAMC. Should {it a similar allegation of noncompliance against VAMC in the fame, OCR may initiate a formal investigation of that matter. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. detennination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR Under the Freedom of Iniormation Act, we may be required to release this letter and information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Alessandra Swanson, Equal Opportmtity Specialist, at (312) 353-5946 (Voice) or (312) 353-5693 (TDD). Sincerely, 7U Celeste H. Davis Regional Manager