f?m?h DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY
Voice - (312} 336?2359 Of?ce for Civil Rights, Region 
a TDD - {312] 353-5693 233 N. Michigan Ave, Suite 240

a

Nun

(FAX) {312} 386-1807 Chicago, IL 60601


February 5, 2016

 



 

 

 

   
   
   

   
 
 



  
 
  

  
 
  
 

  

Re:



. I 
ber: 14-168325

OCR Transactio 


 

4.
urn

 

 

Dear

 

 

On October 9, 2013, the US. Department of Health and Human Services (HHS), Office for
Civil Rights (OCR), received your complaint alleging that Planned Parenthood, the covered
entity, has violated the Federal Standards for Privacy of Individually Identi?able Health
Information andlor the Security Standards for the Protection of Electronic Protected Health
Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security
Rules). Specifically, you allege that, an employee of Planned Parenthood impermissibly
disclosed your protecfedlm?ml) to a third party. You stated that, on
September 25, left a comment under the public posts of your
Facebook page pertaining to a procedure you had done at Planned Parenthood. This
allegation could reflect a violation of 45 C.F.R. 164.520(a) and 

Thank you for bringing this matter to attention. Your complaint is an integral part of
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil
rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

A covered entity must maintain reasonable and appropriate administrative, technical, and
physical safeguards to prevent intentional or unintentional use or disclosure of PHI in
violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to
otherwise permitted or required use or disclosure. 45 C.F.R. For example,
such safeguards might include shredding documents containing protected health information
before discarding them, securing medical records with lock and key or pass code, and
limiting access to keys or pass codes.

 

We have carefully reviewed your complaint against Planned Parenthood and have
determined to resolve this matter informaily through the provision of technical assistance to
Planned Parenthood. Should OCR receive a similar allegation of noncompliance against
Planned Parenthood in the future, OCR may initiate a formal investigation of that matter.

For your informational purposes, OCR has enclosed material regarding the Privacy Rule
provisions related to Safeguards.

 

 

Page 2

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter. OCR's determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that
identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of
personal privacy.

If you have any questions regarding this matter, please contact Alyce Hilden, Investigator,
at (312) 353-9688 (Voice) or {312) 353-5693 (TDD).

Since ely,
Ala??

Celeste H. Davis
Regional Manager

Enclosure: Reasonable Safeguards

 

 

 

Page 3

Reasonable Safeguards
45 C.F.R. 164.530 

A covered entity must have in place appropriate administrative, technical, and physical
safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as
well as that limit incidental uses or disclosures. See 45 C.F.R. It is not
expected that a covered entity's safeguards guarantee the privacy of protected health
information from any and all potential risks. Reasonable safeguards will vary from covered
entity to covered entity depending on factors, such as the size of the covered entity and the
nature of its business. In implementing reasonable safeguards, covered entities should
analyze their own needs and circumstances, such as the nature of the protected health
information it holds, and assess the potential risks to patients' privacy. Covered entities
should also take into account the potential effects on patient care and may consider other
issues, such as the ?nancial and administrative burden of implementing particular
safeguards.

Many heaith care providers and professionals have long made it a practice to ensure
reasonable safeguards for individuals' health information - for instance:

a By speaking quietly when discussing a patient?s condition with family members in a
waiting room or other public area;

a By avoiding using patients' names in public hallways and elevators, and posting signs
to remind employees to protect patient con?dentiality 

By isolating or locking ?le cabinets or records rooms; or

- By providing additional security, such as passwords, on computers maintaining
personal information.

Protection of patient con?dentiality is an important practice for many health care and health
information management professionals; covered entities can build upon those codes of
conduct to develop the reasonable safeguards required by the Privacy Rule.

 

gimme DEPARTMENT OF HEALTH a HUMAN SERVICES OFFICE OF THE SECRETARY

 

a? voice - i312) ass-2359 Office for Civil flights, Region 
1 TDD - (312} 353-5693 233 N. Michigan Ave, Suite 240
Em - (312} ass?130? Chicago, IL 6060]

I'd

June 13, 2014

The Privacy Officer
Planned Parenthood
1200 N. LaSalle Street
Chicago, Il 60610

Re:

 

Dear Privacy Of?cer:

On October 9, 2013, the U.S. Department of Health and Human Services (HHS), Office for
Civil Rights (OCR), received a complaint alleging that Planned Parenthood, the covered
entity, has violated the Federai Standards for Privacy of Individually Identi?able Health
Information andlor the Security Standards for the Protection of Electronic Protected Health
Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security
Rules). Specifically, the complainant alleges that, an employee of Planned

Parenthood lmermissibl disclosed her protected health information PHI to a third party.
According to on September 25, 2013, {bil?l'ibimicl I left a comment
under the PUbliC Posts Of Facebook page pertaining to a procedure she had

done at Planned Parenthood. This aliegation could re?ect a violation of 45 C.F.R. 
164.502(a) and 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil
rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

In this matter, the complainant alleges that the covered entity does not employ reasonable
safeguards to prevent impermissible disclosures of PHI. A covered entity must maintain
reasonable and appropriate administrative, technical, and physical safeguards to prevent
intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to
limit its incidental use and disclosure pursuant to otherwise permitted or required use or
disclosure. 45 C.F.R. 

Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR has determined to
resolve this matter informally through the provision of technical assistance to Planned
Parenthood. To that end, OCR has enclosed material explaining the Privacy Rule provisions
related to Reasonable Safeguards.

You are encouraged to review these materials closely and to share them with your staff as
part of the Heaith Insurance Portability and Accountability Act (HIPAA) training you provide
to your workforce. You are also encouraged to assess and determine whether there may
have been any noncompliance as alleged by the complainant in this matter, and, if so, to
take the steps necessary to ensure such noncompliance does not occur in the future. In

addition, OCR encourages you to review the facts of this individual's complaint and provide
the individual the appropriate written response swiftly if necessary to comply with the
requirements of the Privacy Rule. Should OCR receive a similar allegation of noncompliance
against to Planned Parenthood in the future, OCR may initiate a formal investigation of that
matter. In addition, please note that, after a period of six months has passed, OCR may
initiate and conduct a compliance review of to Planned Parenthood related to your
compliance with the Privacy Rules provisions related to Reasonable Safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter. OCR's determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that
identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of
personal privacy.

If you have any questions regarding this matter, please contact Alyce Hilden, Investigator,
at (312) 353-9633 (Voice) or (312) 353-5693 (TDD).

Sincerely,

?aw/L

Celeste I-i. Davis
Regional Manager

Enclosure: Reasonable Safeguards

Page 3

Reasonable Safeguards
45 can. 154.530 

A covered entity must have in place appropriate administrative, technical, and physical
safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as
well as that limit incidental uses or disclosures. See 45 C.F.R. ?164.530 It is not
expected that a covered entity's safeguards guarantee the privacy of protected health
information from any and all potential risks. Reasonable safeguards will vary from covered
entity to covered entity depending on factors, such as the size of the covered entity and the
nature of its business. In implementing reasonable safeguards, covered entities should
analyze their own needs and circumstances, such as the nature of the protected health
information it holds, and assess the potential risks to patients' privacy. Covered entities
should also take into account the potential effects on. patient care and may consider other
issues, such as the ?nanciai and administrative burden of implementing particular
safeguards.

Many health care providers and professionals have long made it a practice to ensure
reasonable safeguards for individuals' health information - for instance:

By speaking quietiy when discussing a patient's condition with family members in a
waiting room or other public area;

a: By avoiding using patients' names in public hallways and elevators, and posting signs
to remind employees to protect patient con?dentiality 

a By isolating or locking ?le cabinets or records rooms; or

By providing additional security, such as passwords, on computers maintaining
personal information. .

Protection of patient con?dentiality is an important practice for many health care and health
information management professionals; covered entities can build upon those codes of
conduct to develop the reasonable safeguards required by the Privacy Rule.