?3.110131% a DEPARTMENT OF HEALTH HUMAN OFFICE OF THE a 1voice - (312) 336-2359 Of?ce for Civil Rights, Region '5 TDD - {312) 353-5693 . 233 N. Michigan Ave, Suite 240 ?own (Fax) - (312) see-1307 i Chicago, IL 60601 If .hh . ovi'ocrf September 27, 2013 {bil?iibili'i'ici .Wisc in De ment 9 Vtera OCR Transaction Number: I as i i Marga); l{i Re: On July 10, 2013, the U.S. Department of Health nd Human Services (HHS), Office for Civil Rights (OCR), received your complaint alleging th Wisconsin Department of Veteran Affairs Kings Veterans Home, the covered entity, as violated the Federal Standards for Privacy of Individually Identi?able Health Inform ion andfor the Security Standards for the Protection of Electronic Protected Health Infon'na on (45 C.F.R. Parts 150 and 164, Subparts A, C, and E, the Privacy and Security les). Speci?cally, you allege that, the covered entity does not protected health nformation (PHI), not conducted an audit of its servers, failed to provide training to its sta and failed to conduct a risk assessment. This allegation could reflect a violation of 45 CF. . Thank you for bringing this matter to attention. Your complaint is an integral part of OCR's enforcement efforts. 5 OCR enforces the Privacy, Security, and Breach I tification Rules, and also Federal civil rights laws which prohibit discrimination in the livery of health and human services because of race, color, national origin, disability, ge, and under certain circumstances, sex and religion. 5 physical safeguards to prevent intentionai or uni tentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incid ntai use and disclosure pursuant to otherwise permitted or required use or disciosu 45 C.F.R. For example, such safeguards might include shredding docum ts containing protected health information before discarding them, securing medical record with lock and key or pass code, and limiting access to keys or pass codes. In addition, a covered entity must identify those Freons or classes of persons, as A covered entity must maintain reasonable and :propriate administrative, technical, and appropriate, in its workforce who need access to HI to carry out their duties; and for each such person or class of persons, the category or tegorles of PHI to which access is needed and any conditions appropriate to such access. 4 C.F.R. and (B). Page 2 We have carefully reviewed your complaint agains Wisconsin Department of Veteran Affairs Kings Veterans Home and have determined to re Ive this matter informally through the provision of technical assistance to Wisconsin Dep rtment of Veteran Affairs Kings Veterans Home. Should OCR receive a similar allegation of oncompliance against Wisconsin Department of Veteran Affairs Kings Veterans Ho in the future, OCR may initiate a formal investigation of that matter. For your information i purposes, OCR has enclosed material regarding the Privacy Rule provisions related to Sa eguards. Based on the foregoing, OCR is closing this case hout further action, effective the date of this letter. determination as stated in this I tter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the blic. In the event OCR receives such a request, we wili make every effort, as permitted law, to protect information that identi?es individuals or that, if released, could con itute a clearly unwarranted invasion of personal privacy. 3 If you have any questions regarding this matter, I ase contact Arturo Garcia, Investigator, at (312) 36-528? (Voice) or (312) 353-5693 (TDD . Sincerely mam/? Celeste . Davis Regions Manager Enclosure: Reasonable Safeguards Page 3 Reasonable feguards 45 C.F.R. 1 4.530(c) A covered entity must have in place appropriate dministrative, technical, and physical safeguards that protect against uses and disclo res not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. ee 45 C.F.R. It is not expected that a covered entity's safeguards gua ntee the privacy of protected health information from any and all potential risks. Rea onable safeguards will vary from covered entity to covered entity depending on factors, su as the size of the covered entity and the nature of its business. In implementing reasona Ie safeguards, covered entities should analyze their own needs and circumstances, suc as the nature of the protected health information it holds, and assess the potential ris to patients? privacy. Covered entities should also take into account the potential effec on patient care and may consider other issues, such as the ?nancial and administrative rden of implementing particular safeguards. Many health care providers and professionals ha I long made it a practice to ensure reasonable safeguards for individuals' health Info mation - for instance: 0 By speaking quietly when discussing a patient's condition with family members in a waiting room or other public area; I By avoiding using patients? names in publi: hallways and elevators, and posting signs to remind employees to protect patient co fidentiality; By isolating or locking ?le cabinets or records rooms; or a: By providing additional security, such as passwords, on computers maintaining personal information. i Protection of patient confidentiality is an imported practice for many health care and health information management professionals; covered tities can build upon those codes of conduct to develop the reasonable safeguards req ired by the Privacy Rule. uni-m d! 41% DEPARTMENT OF HEALTH HUMAN 511: Voice - (312) 335-2359 TDD - (312i ass-sees Mm - {312) ass-130? VICES OFFICE OF THE SECRETARY Office for Civil Rights, Region 233 N. Michigan Ave, Suite 240 Chicago, IL 60601 p: September 25, 2013 Privacy Of?cer Wisconsin Department of Veteran Affairs Kings Veterans Home N2665 County Road QQ King, Wisconsin 54946 . . . v. - - . OCR Transaction Number: 13-16265? Re: Dear Privacy Of?cer: On Juiy 10, 2013, the U.S. Department of Healt and Human Services (HHS), Of?ce for Civil Rights (OCR), Region V, received a complaint fr the complainant, alleging that the Wisconsin Department of Veteran Affai Kings Veterans Home, the covered entity, has violated the Federal Standards for Privacy 0 Individually Identi?able Health Information andror the Security Standards for the Protection 1? Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, an E, the Privacy and Security Rules). Speci?cally, the complainant alleges that the coil. red entity does not protected health information (PHI), has not conducted an a dit of its servers, has failed to provide training to its staff, and also has failed to condu a risk assessment. These allegations could re?ect a violation of the Privacy and Secur': Rules. OCR enforces the Privacy, Security, and Breach .otification Rules, and also Federal civil rights laws which prohibit discrimination in the livery of health and human services because of race, color, national origin, disability,- go, and under certain circumstances, sex and religion. In this matter, the complainant alleges that the vered entity does not employ reasonable safeguards to prevent impermissible disclosures protected health information (PHI). A covered entity must maintain reasonable and ap ropriate administrative, technical, and physical safeguards to prevent intentional or uni entional use or disclosure of PHI in violation of the Privacy Rule and to limit its incid tal use and disclosure pursuant to otherwise permitted or required use or disclosure 45 C.F.R. In addition, the complainant avers that the cove entity allows an employee, Rick Garza, to have remote access to all workstations, netwo switches, and ?le servers. The Privacy Rule requires that a covered entity identify those. ersons or classes of persons, as appropriate, in its workforce who need access to HI to carry out their duties; and for each such person or class of persons, the category or tegories of PHI to which access is needed and any conditions appropriate to such access. 4 C.F.R. and (B). Pursuant to its authority under 45 C.F.R. 160L304(a) and OCR has determined to resolve this matter informally through the provis on of technical assistance to the Wisconsin Department of Veteran Affairs Kings Veterans me. To that end, OCR has enclosed material explaining the Privacy Rule provisions rglated to Reasonable Safeguards. You are encouraged to review these materials cl sely and to share them with your staff as part of the Health Insurance Portability and Acco ntability Act (HIPAA) training you provide to your workforce. You are also encouraged to sess and determine whether there may have been any noncompliance as alleged by the omplainant in this matter, and, if so, to take the steps necessary to ensure such noncom Ilance does not occur in the future. In addition, OCR encourages you to review the fac of this individual?s complaint and provide the appropriate written response swiftly if nece ry to comply with the requirements of the Privacy Rule. Should OCR receive a similar alleg tion of noncompliance against Wisconsin Department of Veteran Affairs Kings Veterans in the future, OCR may initiate a formal investigation of that matter. In addition, please ote that, after a period of six months has passed, OCR may initiate and conduct a complia ce review of Wisconsin Department of Veteran Affairs Kings Veterans Home related to ur compliance with the Privacy Rules provisions related to Reasonable Safeguards. Based on the foregoing, OCR is closing this case ithout further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may required to release this letter and other information about this case upon request by the ublic. In the event OCR receives such a request, we will make every effort, as permitted - law, to protect information that identifies individuals or that, if released, could co stitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, lease contact Arturo Garcia, Investigator, at (312) 336-5237 (Voice) or (312) 353-5693 (T D). Since Enclosure: Reasonable Safeguards Page 3 Reasonable Safeguards 45 C.F.R. 164.530 A covered entity must have in place appropriate ministrative, technical, and physical safeguards that protect against uses and disclosu es not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. 45 C.F.R. ?164.530 It is not that a covered entity?s safeguards guar tee the privacy of protected health information from any and all potential risks. Rees nable safeguards will vary from covered entity to covered entity depending on factors, sun as the size of the covered entity and the nature of its business. In implementing reasonabl safeguards, covered entities should analyze their own needs and circumstances, such 5 the nature of the protected health information it holds, and assess the potential risk to patients?r privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the ?nancial and administrative rden of implementing particular safeguards. Many health care providers and professionals hav long made it a practice to ensure reasonable safeguards for individuals? health info ation for instance: a By speaking quietly when discussing a pati+nt?s condition with family members in a waiting room or other public area; . By avoiding using patients' names in publl I hallways and elevators, and posting signs to remind employees to protect patient co Identiaiity; - By isolating or locking ?le cabinets or race rooms; or By providing additional security, such as passwords, on computers maintaining personal information. 5 Protection of patient con?dentiality is an importan' practice for many health care and health information management professionals; covered titles can build upon those codes of conduct to develop the reasonable safeguards req ired by the Privacy Rule.