9y 

 

DEPARTMENT OF HEALTH 8; HUMAN RVICES OFFICE OF THE SECRETARY
Voice - (312) 336?2359 Of?ce for Civil Rights, Region 
?3 TDD - (312} 353-5593 233 N. Michigan Ave. Suite 240
(FAX) - (312)886-1130? Chicago, IL 6060]


September 26, 2013

 



 

 

 

Re: (W)le . u. Permann -
OCR Transaction Number: 13-163162

Dear {bi'EBMbiUi 

On July 22, 2013, the U.S. Department of Healt and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region V, received your complain alleging that Kaiser Permanente, the
covered entity, has violated the Federal Standa for Privacy of Individually Identi?able
Health Information (45 C.F.R. Parts 160 and 16 Subparts A and E, the Privacy Rule).
Speci?cally, you allege that, on January 20 August 2013, August 31, 2013,
September 6, 2012, September 11, 2012, Sept her 2012, September 21, 2012, and --
September 23, 2012, Kaiser Permanente imperr issibly disclosed her and her two children?s
protected health information (PHI) when it sent hat information to a wrong address. This
allegation could re?ect a violation of 4S C.F.R. 164.502(a) and 164.530(c) of the Privacy
Rule.

 

 

    
    
 
   

Thank you for bringing this matter to att tion. Your complaint plays an integral part

in OCR's enforcement efforts.

 

OCR enforces the Privacy, Security, and Breach oti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in he delivery of health and human services

because of race, color, national origin, disability age, and under certain circumstances, sex
and religion.

The Privacy Rule allows health care providers a health plans to share protected health
information (PHI) for permitted purposes using mail or fax, as long as they use
reasonable and appropriate administrative, tech lcal, and physical safeguards to protect the
privacy of the PHI. See 45 C.F.R. 164.502(a) These safeguards may vary depending on
the mode of communication used. For example when faxing PHI to a telephone number
that is not used regularly, a reasonable safegua may involve a covered entity first
confirming the fax number with the intended re pient of the fax.

We have carefully reviewed your complaint agai st Kaiser Permanente and have determined
to resolve this matter informally through the pr ision of technical assistance to Kaiser
Permanente. Should OCR receive a similar alleg ation of noncompliance against Kaiser
Permanente in the future, OCR may initiate a formal investigation of that matter.

 

 

 

Page 2

Based on the foregoing, OCR is closing this case
this ietter. OCR's determination as stated in thi
complaint that were reviewed by OCR.

 

Under the Freedom of Information Act, we may
information about this case upon request by th
request, we will make every effort, as permitte
identi?es individuals or that, if released, could

personal privacy.

If you have any questions regarding this matter
at (312) 386628? (Voice) or (312) 353?5593 

 

without further action, effective the date of
i letter applies only to the allegations in this

be required to release this letter and other
public. In the event OCR receives such a
by law, to protect information that
nstitute a clearly unwarranted invasion of

 


kiease contact Arturo Garcia, Investigator,
D).

Sincereiv,

Celeste H. Davis
Regional Manager

 

 

 

 

 

MW

 

ICES OFFICE OF THE SECRETARY

 

DEPARTMENT OF HEALTH 8: HUMAN SEE:
a Voice - (312) 386-2359
TDD - (312) 353-5693
NW (FAX) - (312) see-1307
gimme?om

September 30, 2013

Privacy Officer

Kaiser Permanente
1001 Lakeside Drive
Cleveland, Ohio 44114

 

IWBL Iv. Kaiser Permanente
OCR Transaction Number: 13-163162

Re:

Dear Privacy Of?cer:

On July 22, 2013, the U.S. Department of Health
Rights (OCR), Region V, received a complaint fil
alleging that Kaiser Permanente, the covered en
Privacy of Individually Identi?able Health Inform
Subparts A and E, the Privacy Rule). Specificall
2013, August 7, 2013, August 31, 2013, Se
September 2012, September 21, 2012, and
impermissiny disclosed her and her two children
it sent that information to a wrong address. Thi



Of?ce for Civil Rights, Region 
233 N. Michigan Ave, Suite 240
Chicago, IL 60601

and Human Services (HHS), Of?ce for Civil
i by the complainant,

ty, has violated the Federal Standards for
tion (45 C.F.R. Parts 160 and 164,

the complainant alleges that, on January

tember 6, 2012, September 11, 2012,

eptember 28, 2012, Kaiser Permanente

is protected health information (PHI) when

allegation could reflect a violation of 45

icy Rule.

 

C.F.R. 164.502(a) and 164.530(c) of the Priv


 
   
 
 
 
 
 
 
  
 

OCR enforces the Privacy, Security, and Breach
civil rights laws, which prohibit discrimination in
because of race, color, national origin, disability,
and religion.

Generally, the Privacy Rule permits a covered 
permitted purpose, through a variety of means,
long as the covered entity, when
technical, and physical safeguards to prot
These safeguards may vary
For example, when faxing PHI to a telephone 

reasonable safeguard may involve a covered en ty

intended recipient of the fax.

In this matter, the complainant alleges that PHI
the mail or by fax. Pursuant to its authority un
has determined to resolve this matter informall

otification Rules, and also enforces Federal
he delivery of health and human services
age, and under certain circumstances, sex

ity to make disclosures mail or facsimile machine, as
doing so, uses easonable and appropriate administrative,
ect th privacy of the PHI. See 45 C.F.R. 
depen ing on the mode of communication used.

her that is not used regularly, a
?rst confirming the fax number with the

as impermissiny disclosed either through
45 C.F.R. 160.304(a) and OCR

through the provision of technical

assistance to Kaiser Permanente. To that end, CR has enclosed a checklist of reminders

on how to safely use the mail or fax machines

 

 

 

en sending PHI.

 

 

 

 

You are encouraged to review these materials clos
part of the Health Insurance Portability and Accou
to your workforce. You are also encouraged to as
have been an incident of noncompliance as alleg
so, to take the steps necessary to ensure such no
Please contact OCR if you need further informatio
Should OCR receive a similar allegation of noncon
future, OCR may initiate a formal investigation of

Based on the foregoing, OCR is closing this case
this letter. OCR's determination as stated in this
complaint that were reviewed by OCR.

ly and to share them with your staff as
tability Act (HIPAA) training you provide
ess and determine whether there may

by the complainant in this matter, and, if
compliance does not occur in the future.
regarding the allegations in this matter.
pliance against Kaiser Permanente in the
hat matter.

ithout further action, effective the date of
etter applies only to the allegations in this

 

Under the Freedom of Information Act, we may

information about this case upon request by the 

request, we will make every effort, as permitted
identi?es individuals or that, if released, could 
personal privacy.

If you have any questions regarding this matter,
at (312) 386-5896 (Voice), (312) 353-5693 (TDI

II
it

Sincer

0w.

Celest
Regior

Enclosure: Checklist

 

required to release this letter and other
blic. In the event OCR receives such a
law, to protect information that

stitute a clearly unwarranted invasion of

please contact Arturo Garcia, Investigator,
or art.garcia@hhs.gov (E-mail).



mm

H. Davis
Ial Manager

 

 

 


Page 3 


.u i'Yes. Where the Privacy Rule allows covered healt i care providers, heaith plans, or health
care clearinghouses to share protected health inf - mation with another organization or with
the individual, they may use a variety of means deliver the information, as long as they
use reasonable safeguards when doing so. When - communications are in writing, the
patient information may be sent by mail, fax, or - her means of reliable delivery.

The Privacy Rule requires that covered entities a -.- reasonable safeguards when making
these communications to protect the patient info I ation from inappropriate use or
disclosure to unauthorized persons. These safegu will vary depending on the mode of
communication used. For example, when mailing atient information, reasonable safeguards
would include checking to see that the name and ddress of the recipient are correct and
current and that only the minimum amount of pa ent information is showing on the outside
of the envelope to ensure proper delivery to the i tended recipient. When faxing protected
health information to a telephone number that is ot regularly used, a reasonable safeguard
would include ?rst con?rming the fax number wit the intended recipient. Similarly, a
covered entity may pro-program frequently used timbers directly into the fax machine to
avoid misdirecting the information to someone - is not the intended recipient.

The following checklists provide guidance on rea :nable safeguards that a covered health
care provider, health plan, or health care clearing ouse may put in place to protect patient
information from being impermissiny disclosed 1 ring (1) mailing and (2) faxing.

See 45 C.F.R. 164.530fc).

MAILING CH i CKLIST

 

El Carefully check name and address of intend recipient. Many names are similar;
make sure you have the correct name for th intended recipient on the envelope.
Make sure the address on the envelope mat es the correct address of the intended
recipient.

 

may be permissiny disclosed to the intend recipient or properly relate to the
individual. Check all pages to make sure rec or material reiated to other
individuals are not mistakenly included in th envelope.

Carefully check the contents of the envelopfjefore sealing. Make sure the contents
il

 

[3 Check the information showing on the outsid of the envelope or through the address
window. Make sure identifying information at is not necessary to ensure proper

delivery is not disclosed. i

 

and check at least a sample of the mailings the accuracy of name and address of
the intended recipients and the correct con ts, as indicated above, before sending.

When doing mass mailings, do a test run t?sure the system is properly performing
ii

 

 

Have policies and procedures in place to saf uard protected health information that is
mailed, including processes to act (1) name and address changes to
ensure corrections are made in all the releva records; and (2) reports of misdirected
mail to identify the cause and take steps to vent future incidents.

 

 

ll
ll
ii
I


FAXING cudcxusr

 

Page 4

 

 

El Carefully check the fax number to make sure you have the correct number for the
intended recipient. When manually entering he number, check to see that it has been
entered correctly before sending. 



 

 

Con?rm fax number with the intended recipi when faxing to this party for the ?rst
time or if the fax number is not regularly .


 

Program regularly used numbers into fax ma?ihines. Check to make sure you are
selecting the preprogrammed number for th correct party before sending.

 

i

El Update fax numbers upon receipt 0 noti?cation of correction or change.
Have procedures for deleting outdated or un numbers which are preprogrammed
into the fax machine. 3

 

 

I3 Locate fax machines in areas where access be monitored and controlled and avoid
leaving patient information on fax machines fter sending.


 

faxed, including processes to act (1) changes in fax numbers to ensure
corrections are made in all the relevant reco s; and (2) reports of a misdirected fax to
identify the cause and take steps to prevent
organization's policies and procedures. 

Have policies and procedures in place to safeguard protected health information that is

ture incidents, including revising the

 

 

CI Train staff on the policies and procedures for be proper use of fax machines that your
organization has put in place to safeguard tected health information during faxing.
Update the training periodically and be sure train new staff.