??m?mth DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY
Voice - {312) 836-2359 Of?ce for Civil Rights, Region 
3 TOO - (312] 353-5693 2.33 .N. Michigan Ave. Suite 240

?is (FAX) - (312) 335-130? Chicago, IL 6060!

in,

?were



February 28, 2014

 

{bii?iibimlci

 

 

 

Re: OCR Transaction Number: 13-1673?5

{bil?iibim'ici

 

Dear

 

 

 

On August 2013, the U.S. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), received your complaint alleging that Marshfield Clinic (Marshfield), the
covered entity, has violated the Federal Standards for Privacy of Individually Identi?able
Health Information andfor the Security Standards for the Protection of Electronic Protected
Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and
Security Rules). Specifically, you allege that your protected health information (PHI), as
maintained by Marshfield, was impermissiny used by a Marshfield employee. This
allegation could reflect a violation of 45 C.F.R. 164.502(a) and 

Thank you for bringing this matter to OCR's attention. Your complaint is an integral part of
OCR's enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil
rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

In general, the Privacy Rule requires that a covered entity or business associate may not
use or disclose PHI, except as permitted or required by the Rule. 45 C.F.R. In
addition, a covered entity must maintain reasonable and appropriate administrative,
technical, and physical safeguards to prevent intentional or unintentional use or disclosure
of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant
to otherwise permitted or required use or disclosure. 45 C.F.R. For example,
such safeguards might include shredding documents containing protected health information
before discarding them, securing medical records with lock and key or pass code, and
limiting access to keys or pass codes.

We are pleased to inform you that your complaint in this matter has been resolved. As part
of its investigation, OCR has provided Marshfield with guidance to comply with the 45 C.F.R.
164.502(a) and Speci?cally, Marshfield took the following corrective
actions: 1) counseled the individual staff member on the Code of Business Ethics and
Conduct, Employee Conduct, and Patient Information Con?dentiality policies; 2) required
staff member to complete HIPAAIHITECH refresher training; 3) reviewed the above
mentioned policies with entire medical transcription department staff; 4) sanctioned
individual staff member in accordance Marshfield?s progressive disciplinary policy; and
reported incident to OCR.

 

 

 

Page 2

For your informational purposes, OCR has enclosed material regarding the Privacy Rule
provisions related to 45 C.F.R. 

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that

identi?es individuals or that, if released, could constitute a clearly.( unwarranted invasion of
personal privacy.

If you have any questions regarding this matter, please contact Wandah Hardy,
Investigator, at (312) 353-9374 (Voice) or (312) 353-5693 (TDD).

Sincerely,
 LWL  


Celeste H. Davis
Regional Manager

Enclosure: Reasonable Safeguards

 

Page 3

Reasonable Safeguards
45 C.F.R. 164.530 

A covered entity must have in place appropriate administrative, technical, and physical
safeguards that protect against uses and disclosures not permitted by the Privacy Rule; as
well as that limit incidental uses or disclosures. See 45 C.F.R. ?164.530 It is not
expected that a covered entity?s safeguards guarantee the privacy of protected health
information from any and all potential risks. Reasonable safeguards wili vary from covered
entity to covered entity depending on factors, such as the size of the covered entity and the
nature of its business. In implementing reasonable safeguards, covered entities should
analyze their own needs and circumstances; such as the nature of the protected health
information it holds, and assess the potential risks to patients? privacy. Covered entities
should also take into account the potential effects on patient care and may consider other

issues; such as the ?nancial and administrative burden of implementing particular
safeguards.

Many health care providers and professionals have long made it a practice to ensure
reasonable safeguards for individuals? health information - for instance:

a By speaking quietly when discussing a patient?s condition withlfamiiy members in a
waiting room or other public area;

0 By avoiding using patients? names in public hallways and elevators, and posting signs
to remind employees to protect patient confidentiality;

By isolating or locking ?le cabinets or records rooms; or

By providing additional security, such as passwords, on computers maintaining
parsonal information.

Protection of patient confidentiality is an important practice for many health care and health
information management professionals; covered entities can build upon those codes of
conduct to develop the reasonable safeguards required by the Privacy Rule.

 

 

 

fwciiw DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY
iv'oioe - (312) 336-2359 Of?ce for Civil Rights, Region 
i Too - (312} 353-5693 233 N. Michigan Ave. Suite 240
(FAX) - (312} 885-1807 Chicago, IL 6060]
mm 

February 28, 2014

Privacy Of?cer
Marsh?elcl Clinic

1000 North Oak Ave.
Marshfield, WI 

 

Re: OCR Transaction Number: 13-1673?5
{bli?libliili?ll

 

 

 

Dear

 

On August 27, 2013, the U.S. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), received a complaint alleging that Marshfield Clinic, the covered entity,
has violated the Federal Standards for Privacy of Individually Identi?able Health Information
andfor the Security Standards for the Protection of Electronic Protected Health Information
(45 CPR. Part - I . I - 4, Subparts A, C, and E, the Privacy and Security Rules).
Speci?cally, the complainant, alleges that her protected health information
(PHI), as maintained by Marsh?eld, was impermissiny used by a Marshfield employee. This
allegation could re?ect a violation of 45 C.F.R. 164.502(a) and 

OCR enforces the Privacy, Security, and Breach Notification Rules, and also Federal civil
rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

In general, the Privacy Ruie requires that a covered entity or business associate may not
use or disclose PHI, except as permitted or required by the Rule. 45 C.F.R. In
addition, a covered entity must maintain reasonable and appropriate administrative,
technical, and physical safeguards to prevent intentional or unintentional use or disclosure
of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant
to otherwise permitted or required use or disclosure. 45 C.F.R. For example,
such safeguards might include shredding documents containing protected health information
before discarding them, securing medical records with lock and key or pass code, and
limiting access to keys or pass codes.

OCR is pleased that, in response to our investigation, Marshfield has taken the following
steps toward coming into compliance with 45 C.F.R. Speci?cally, Marsh?eld
took the following corrective actions: 1) counseled the individual staff member on the Code
of Business Ethics and Conduct, Employee Conduct, and Patient Information Con?dentiality
policies 2) required staff member to complete refresher training; 3)
reviewed the above mentioned policies with entire medical transcription department staff:
4) sanctioned individual staff member in accordance Marsh?eld?s progressive disciplinary
policy; and reported incident to OCR.

Please note that, after a period of six months has passed, OCR may initiate and conduct a
compliance review of Marsh?eld related to your compliance with 45 C.F.R. 

 

 

 

 

Page 2

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter. OCR's determination as stated in this ietter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that
identifies individuals or that, if released, could constitute a clearly unwarranted invasion of
personal privacy.

If you have any questions regarding this matter, please contact Wandah Hardy,
Investigator, at (312) 353-9?74 (Voice) or (312) 353?5693 (TDD).

Sincerely,

.. . ..
are.

Celeste H. Davis

Regional Manager

Enclosure: Reasonable Safeguards

 

Page 3

Reasonable Safeguards
45 C.F.R. 164.530 

A covered entity must have in place appropriate administrative, technical, and physical
safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as
well as that limit incidental uses or disclosures. See 45 C.F.R. ?164.530 It is not
expected that a covered entity's safeguards guarantee the privacy of protected health
information from any and all potential risks. Reasonable safeguards will vary from covered
entity to covered entity depending on factors, such as the size of the covered entity and the
nature of its business. In implementing reasonable safeguards, covered entities should
analyze their own needs and circumstances, such as the nature of the protected health
information it holds, and assess the potential risks to patients? privacy. Covered entities
should also take into account the potential effects on patient care and may consider other
issues, such as the financial and administrative burden of implementing particular
safeguards.

Many health care providers and professionals have long made it a practice to ensure
reasonable safeguards for individuals? health information for instance:

By speaking quietly when discussing a patient's condition with family members in a
waiting room or other public area ,1

By avoiding using patients? names in public hallways and elevators, and posting signs
to remind employees to protect patient con?dentiality;

By isoiating or locking file cabinets or records rooms; or

By providing additional security, such as passwords, on computers maintaining
personai information.

Protection of patient con?dentiality is an important practice for many health care and health
information management professionals; covered entities can build upon those codes of
conduct to develop the reasonable safeguards required by the Privacy Rule.