DEPARTMENT OF HEALTH 3: HUMAN SERVICES OF THE SECRETARY
Voice - (312) 336-2359 Of?ce for Civil Rights, Region 

TDD - (312} assaoss 233 N. Michigan Ave, Suite 2411
(FAX) - (312)336-1813? Chicago, IL 60601



September 9, 2013

 

 



 

 

Re: OCR Transaction Number: 13-163425


Dear {cl

 

 

 

 

On July 25, 2013, the U5. Department of Health and Human Services (HHS), Office for Civil
Rights (OCR), Region V, received your complaint alleging that Department of Veterans
Affairs - Regional Chicago Office has violated the Federal Standards for Privacy of
Individually Identifiable Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E,
the Privacy Rule). Speci?cally, you allege that, on June 6, 2013, DVA impermissiny
disclosed your protected health information (PHI) when DVA sent a letter containing your
PHI to the wrong address after not updating your new address. This allegation could re?ect
a violation of 45 C.F.R. 164.502(a) and 16453002).

OCR enforces the Privacy, Security, and Breach Notification Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

The Privacy Rule allows health care providers and health plans to share PHI for permitted
purposes using the mail or fax, as long as they use reasonable and appropriate
administrative, technical, and physical safeguards to protect the privacy of the PHI. See 45
C.F.R. These safeguards may vary depending on the mode of communication
used. For example, when faxing PHI to a telephone number that is not used regularly, a
reasonable safeguard may involve a covered entity ?rst con?rming the fax number with the
intended recipient of the fax.

We have carefully reviewed your complaint against DVA and have determined to resolve this
matter informally through the provision of technical assistance to OVA. Should OCR receive
a similar allegation of noncompliance against DVA in the future, OCR may initiate a formal
investigation of that matter.

For your informational purposes, OCR has enclosed material regarding the Privacy Rule
provisions related to sharing PHI for permitted purposes using the mail or fax.

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that
identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of
personal privacy.

Page 2

If you have any questions regarding this matter, please contact Andrew C. Kruley, J.D., OCR
Investigator, at (312) 836-5888 (Voice) or (312) 353-5693 (TDD).

Sincerely,

222%

Celeste H. Davls
Regional Manager

Enclosure: Checklist

Page 3

May a physician?s of?ce or health plan use mail or fax to
send patient medical information?

Yes. Where the Privacy Rule allows covered health care providers, health plans, or health care
clearinghouses to share protected health information with another organization or with the
individual, they may use a variety of means to deliver the information, as long as they use
reasonable safeguards when doing so. When the communications are in writing, the patient
information may be sent by mail, fax, or other means of reliable delivery.

The Privacy Rule requires that covered entities apply reasonable safeguards when making these
communications to protect the patient information ?'om inappropriate use or disclosure to
unauthorized persons. These safeguards will vary depending on the mode of communication
used. For example, when mailing patient information, reasonable safeguards would include
checking to see that the name and address of the recipient are correct and current and that only
the minimum amount of patient information is showing on the outside of the envelope to ensure
proper delivery to the intended recipient. When faxing protected health information to a
telephone number that is not regularly used, a reasonable safeguard would include ?rst
continuing the fax number with the intended recipient. Similarly, a covered entity may pre-
program ?equently used numbers directly into the fax machine to avoid misdirecting the
information to someone who is not the intended recipient.

The following checklists provide guidance on reasonable safeguards that a covered health care
provider, health plan, or health care clearinghouse may put in place to protect patient information
from being impermissiny disclosed during (1) mailing and (2) faxing.

See 45 CPR. 

MAILING CHECKLIST

 

Cl Carefully check name and address of intended recipient. Many names are similar;
make sure you have the correct name for the intended recipient on the envelope.
Make sure the address on the envelope matches the correct address of the intended
recipient.

 

Carefully check the contents of the envelope before sealing. Make sure the contents
may be permissiny disclosed to the intended recipient or properly relate to the
individual. Check all pages to make sure records or material related to other
individuals are not mistakenly included in the envelope.

 

El Check the information showing on the outside of the envelope or through the address
window. Make sure identifying information that is not necessary to ensure proper
delivery is not disclosed.

 

 

When doing mass mailings, do a test run to ensure the system is properly performing
and check at least a sample of the mailings for the accuracy of name and address of

 

 

 

Page 4

 

the intended recipients and the correct contents, as indicated above, before sending.

 

El

Have policies and procedures in place to safeguard protected health information that is
mailed, including processes to act on (1) name and address changes to
ensure corrections are made in all the relevant records:, and (2) reports of misdirected
mail to identify the cause and take steps to prevent future incidents.

 

 

 

Train staff on the mailing procedures that your organization has put in place to
safeguard protected health information during mailing. Update the training periodically
and be sure to train new staff.

 

FAXING CHECKLIST

 

Carefully check the fax number to make sure you have the correct number for the
intended recipient. When manually entering the number, check to see that it has been
entered correctly before sending.

 

Con?rm fax number with the intended recipient when faxing to this party for the ?rst
time or if the fax number is not regularly used.

 

Program regularly used numbers into fax machines. Check to make sure you are
selecting the preprogrammed number for the correct party before sending.

 

Update fax numbers upon receipt of noti?cation of correction or change.
Have procedures for deleting outdated or unused numbers which are preprogrammed
into the fax machine.

 

Locate fax machines in areas where access can be monitored and controlled and avoid
leaving patient information on fax machines after sending.

 

Have policies and procedures in place to safeguard protected health information that is
faxed, including processes to act on (1) changes in fax numbers to ensure
corrections are made in all the relevant records; and (2) reports of a misdirected fax to
identify the cause and take steps to prevent future incidents, including revising the
organization's policies and procedures.

 

 

 

Train staff on the policies and procedures for the proper use of fax machines that your
organization has put in place to safeguard protected health information during faxing.
Update the training periodically and be sure to train new staff.

 

 

 

DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY



If? lvoice - {312) 336-2359 . Of?ce for Civil Rights, Region 
a TDD - {312) 353-5693 233 N. Michigan Ave, Suite 240
(FAX) - (312) 336-130? Chicago, IL 60601
?chm 

September 9, 2013

Andrea Wilson, RHIA, CIPP, CIPPIG

VHA Privacy Implementation Coordinator

Information Access and Privacy Of?ce- 10P2C1

Department of Veterans Affairs?Veterans Health Administration
810 Vermont Avenue, NW

Washington DC 20420

Re: OCR Transaction Number: 13?163425
Dear Ms. Wilson:

On July 25, 2013, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region V, received a complaint alleging that Department of Veterans Affairs 
Regional Chicago Of?ce has violated the Federal Standards for Privacy of
Individually Identi?able Health Information (45 CPR. Parts 160 and 164, Subparts A and E,
the Privacy Rule). Specifically, the complaint alleges that, on June 5, 2013, DVA
impermissiny disclosed (bli?libliilicl protected health information (PHI) when OVA
sent a letter containing wrong address after not updating
new address. This allegation could re?ect a violation of 45 C.F.R. 164.502(a) and


OCR enforces the Privacy, Security, and Breach Notification Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion. 

Generally, the Privacy Rule permits a covered entity to make disclosures of PHI for a
permitted purpose, through a variety of means, such as by mail or facsimile machine, as
long as the covered entity, when doing so, uses reasonable and appropriate administrative,
technical, and physical safeguards to protect the privacy of the PHI. See 45 C.F.R. 
These safeguards may vary depending on the mode of communication used.
For example, when faxing PHI to a telephone number that is not used regularly, a
reasonable safeguard may involve a covered entity ?rst con?rming the fax number with the
intended recipient of the fax.

In this matter, the complainant alleges that PHI was impermissiny disclosed either through
the mail or by fax. Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR
has determined to resolve this matter informally through the provision of technical
assistance to DVA. To that end, OCR has enclosed a checklist of reminders on how to safely
use the mail or fax machines when sending PHI.

You are encouraged to review these materials closely and to share them with your staff as
part of the Health Insurance Portability and Accountability Act (HIPAA) training you provide
to your workforce. You are also encouraged to assess and determine whether there may
have been an incident of noncompliance as alleged by the complainant in this matter, and, if
so, to take the steps necessary to ensure such noncompliance does not occur in the future.
Please contact OCR if you need further information regarding the allegations in this matter.

Page 2

Should OCR receive a similar allegation of noncompliance against OVA in the future, OCR
may initiate a formal investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter. OCR's determination as stated in this letter applies only to the allegations in this
report that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that
identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of
personal privacy.

If you have any questions regarding this matter, please contact Andrew C. Kruiey, J.D.,
Investigator, at (312) 886-5888 (Voice) or (312) 

Sincerely,

Celeste H. Dav 5
Regional Manager

Enclosure: Checklist

Page 3

May a physician?s of?ce or health plan use mail or fax to
send patient medical information?

Yes. Where the Privacy Rule allows covered health care providers, health plans, or health care
clearinghouses to share protected health information with another organization or with the
individual, they may use a variety of means to deliver the information, as long as they use
reasonable safeguards when doing so. When the communications are in writing, the patient
information may be sent by mail, fax, or other means of reliable delivery.

The Privacy Rule requires that covered entities apply reasonable safeguards when making these
communications to protect the patient information from inappropriate use or disclosure to
unauthorized persons. These safeguards will vary depending on the mode of communication
used. For example, when mailing patient information, reasonable safeguards would include
checking to see that the name and address of the recipient are correct and current and that only
the minimum amount of patient information is showing on the outside of the envelope to ensure
proper delivery to the intended recipient. When faxing protected health information to a
telephone number that is not regularly used, a reasonable safeguard would include ?rst
con?rming the fax number with the intended recipient. Similarly, a covered entity may pre-
program frequently used numbers directly into the fax machine to avoid misdirecting the
information to someone who is not the intended recipient.

The following checklists provide guidance on reasonable safeguards that a covered health care
provider, health plan, or health care clearinghouse may put in place to protect patient information
from being impermissibly disclosed during mailing and faxing.

See 45 C.F.R. 

MAILING CHECKLIST

 

Carefully check name and address of intended recipient. Many names are similar;
make sure you have the correct name for the intended recipient on the envelope.
Make sure the address on the enveiope matches the correct address of the intended
recipient.

 

Carefully check the contents of the envelope before sealing. Make sure the contents
may he permissiny disclosed to the intended recipient or properly relate to the
individual. Check all pages to make sure records or material related to other
individuals are not mistakenly included in the envelope.

 

 

Check the information showing on the outside of the envelope or through the address
window. Make sure identifying information that is not necessary to ensure proper
delivery is not disclosed.

 

 

 

Page 4

 

 

Ci

When doing mass mailings, do a test run to ensure the system is properly performing
and check at least a sample of the mailings for the accuracy of name and address of
the intended recipients and the correct contents, as indicated above, before sending.

 

Have policies and procedures in place to safeguard protected health information that is
mailed, including processes to act on (1) name and address changes to
ensure corrections are made in all the relevant records; and (2) reports of misdirected
mail to identify the cause and take steps to prevent future incidents.

 

 

 

Train staff on the mailing procedures that your organization has put in place to
safeguard protected health information during mailing. Update the training periodically
and be sure to train new staff.

 

FAXING CHECKLIST

 

Carefully check the fax number to make sure you have the correct number for the
intended recipient. When manually entering the number, check to see that it has been
entered correctly before sending.

 

Con?rm fax number with the intended recipient when faxing to this party for the ?rst
time or if the fax number is not regularly used.

 

Program regularly used numbers into fax machines. Check to make sure you are
selecting the preprograrnmed number for the correct party before sending.

 

Update fax numbers upon receipt of noti?cation of correction or change.
Have procedures for deleting outdated or unused numbers which are preprogrammed
into the fax machine.

 

Locate fax machines in areas where access can be monitored and controlled and avoid
leaving patient information on fax machines after sending.

 

Have policies and procedures in place to safeguard protected health information that is
faxed, including processes to act on (1) changes in fax numbers to ensure
corrections are made in all the relevant records; and (2) reports of a misdirected fax to
identify the cause and take steps to prevent future incidents, including revising the
organization's policies and procedures.

 

 

 

Train staff on the policies and procedures for the proper use of fax machines that your
organization has put in place to safeguard protected health information during faxing.
Update the training periodically and be sure to train new staff.