gamma DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY

 

Voice - (312} 336-2359 Of?ce for Civil Rights, Region 

a a TDD - (312) 353-5693 233 N. Michigan Ave, Suite 240

(FAX) - {312) Chicago, IL 6060]
Women

August 19, 2013

 

{bli?iiblmicl

 

 

 

{bli?iiblmicl

Privacy O'cer

Marsh?eld

1000 North Oak Avenue

Marshfield, Wisconsin 54449

Re: {bii?jiibmici l'obo.  v. 
OCR Transaction Number: 12-1424??

 

 

 

 

 

Dear 

 

 

 

On April 19, 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), Region V, received a complaint ?led by the complainant,

and alleging that Marsh?eld Clinic (?Mamhfield?) is not in

with the Federal Standards for Privacy of Individually Identi?able Health
Information and/or the Security Standards for the Protection of Electronic Protected Health
Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Securi
Rules). Speci?cally, alleged that, in February 2012 Marsh?eld disclosed
protected health information (PHI) as part of a story covering physician, 
Speci?cally, alleged that Marshfield Clinic allowed a local news station (WQOW) to
record -u roadcast an interview with during which PHI was visible on
Wcomputer screen. Among the pieces of information contained 
computer screen in the broadcast were medical history number, name, age, birthday,
and x-rays. also asserts that the video of the broadcast was available onllne for
approximately two weeks, while a still image of handling x-rays was
available on the station?s website. These allegations could re?ect violations of 
164.404; 164.530(c) of the Privacy-Rule.


OCR enforces the Privacy and Security Rules, and the Breach Noti?cation Rule. OCR also 
enforces Federal civil rights laws which prohibit discrimination in the delivery of health and
human services because of race, color, national origin, disability, age, and under certain
circumstances, sex and religion.

OCR has reviewed the matter raised in the complaint. On March 8, 2013, OCR noti?ed
Marsh?eld of this complaint. On March 13, 2013, Marshfield provided a written response to
OCR con?rming the disclosure had occurred as alleged. Marshfield acknowledged that
without the knowledge or authorization of Marshfield, invited WQOW to his office at
Marsh?eld to film a piece on his campaign for school board, both violating Marshfield's
policies and procedures, as well as, disclosing the PHI of ?and another patient in the
process. The video footage was placed on WQOW's website 31, 2012, and
broadcast on television on January 31 and February 1. The footage contained a Clinic Of?ce
Note and radiology imagery and was removed from the station's website on-Esbruary 15..

. 

Page 2

2012. OCR has noted that x-ray image previously viewable on WQOW's webpage
(which contained no individually identi?able information) has been removed from the article
in which it previously appeared.

The Privacy Rule prohibits disclosures of PHI not related to a permissible purpose, such as
for treatment or billing. 45 C.F.R. Uses and disclosures of protected health
information: Permitted uses and disclosures. Covered entities are also required implement
suf?cient safeguards to prevent the impermissible disclosure of PHI. See: 45 C.F.R. 
Safeguards. The Privacy Rule also states that covered entities must mitigate
impermissible disclosures of information to the extent practicable and sanction or retrain
responsibie staff members. See: 45 C.F.R. Sanctions and 45 C.F.R. 
164.530(f) Mitigation. Additionally, the Security Rule requires appropriate administrative,
physical, and technical safeguards to ensure the con?dentiality, integrity, and security of
electronic protected health information See: 45 C.F.R. 164.306 - 164.312.
Speci?cally, covered entities must have in place policies and procedures regarding security
incidents and implement security awareness training. See: 45 CFR 
Security awareness and training and Security incident procedures. Covered entities must
also have policies and procedures governing workstation use and security. See: 45 C.F.R. 
Workstation Use and Workstation Security. In the event that a covered
entity discovers a breach of unsecured PHI, 45 C.F.R. 164.404(a) requires that the
covered entity notify each individual whose unsecured PHI has been, or is reasonably
beiieved by the covered entity to have been, accessed, acquired, used, or disclosed as a
result of such breach.

To resolve the issues raised in this matter, Marshfield took the following voluntary actions:

1. Noti?ed the effected individuals of the impermissible disclosure on March 30, 2012.

2. Informed of his violation of the Privacy Rule.1

3. Provided evidence that it retrained and (two employees
also involved in the ?lming) on Marshfield?s policies and procedures regarding
con?dentiality, HIPAA and HITECH,

4. Reviewed the disclosure and its Code of Business Ethics and Political Activity policies
(which were also violated) at a staff meeting.

5. Provided a year of identity protection service to the effected individuals.

OCR has reviewed Marsh?eld?s policies and procedures regarding uses and disclosures of
PHI and its policies and procedures regarding safeguards and ?nd that they generally
comport with the requirements of the Privacy Rule. Additionally, OCR has reviewed
information security policies and procedures and finds that they satisfactorily
meet the requirements of the Security Rule. All matters raised by this complaint at the time
it was ?led have now been resolved through the voluntary compliance actions of Marsh?eld
Clinic. .

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter. OCR's determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

 

 

let the time he was notified of his violation on February
3, 2012, and subsequently resigned on April 9, 2012, before Marsh?eld could administer
retraining or sanctions.

Page 3

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that
identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of
personal privacy.

If you have any questions regarding this matter, please contact Jeffrey Dunifon,
Investigator, at (312) 353-0752 (Voice) or (312) 353-5963 (TDD).

Sincerely,

was

Celeste H. Davis
Regional Manager