DEPARTMENT OF HEALTH 3: HUMAN SER VICES OFFICE OF THE SECRETARY

 

o1 a

 

Mme" ?iv
-.
Voice - {312) 336-2359 Of?ce for Civil Rights, Region 
TDD - (312) 353-5693 233 N. Michigan Ave, Suite 240
(FAX) (312} 336-180? Chicago, IL 6060]
View" 
410

 

November 13, 2013 

 

{PHBJin?ilicl

 

 

 

The Privacy O?icer
Tricare West

P.0. Box 7889
Madison, WI 53707

Re: iv. Tricare West
OCR Transaction Number: 14-169771


Privacy Of?cer: 

 

 

Dear

    
 
 
   

On October 31, 2013, the U.S. Department of He Ith and Human Services (HHS), Of?ce for
Civil Rights (OCR), Region V, received a complain alleging that Tricare West, the covered
entity, has violated the Federal Standards for Priv cy of Individually Identi?able Health
Information 45 C.F.R. Parts 160 and 164, Subpa A and E, the Privacy Rule). Specifically,
the complainant, ?led a complai on behalf of her son, alleging that,
on or around June 28, 2013, a staff member of are West impermissiny disclosed her

son's rotected healt'i information PHI) to a thir pa and permitted
Wm changem PHI. is insured decoverage. This

allegation could re?ection a violation of 45 C.F.R. and



 

 

 

OCR enforces the Privacy, Security, and Breach Ill ti?catlon Rules, and also enforces the
Federal civil rights laws which prohibit discriminat in the delivery of health and human
services because of race, color, national origin, di ability, age, and under certain

circumstances, sex and religion.

Pursuant to the Privacy Rule, a covered entity ma not use or disclose PHI except as
permitted or required by the Privacy Rule. As Ion as an individual does not object, a
covered entity is allowed to share or discuss the -i dividual's health information with the
individual's family, friends, or others involved in individual's care or payment for their
care. The covered entity may ask the individual?s permission, may tell the individual that
the covered entity plans to discuss the informatio and give the individual an opportunity to
object, or may decide, using the covered entity?s rofessional judgment, that the individual
does not object. However, in any of these cases, he covered entity may discuss the
information that the person involved needs to kn about the individual's care or payment
for their care.

Page 2

  
  
 
   
 
  
    
 

The minimum necessary provision of the Privacy' le also requires the covered entity to
limit access to protected health information by icl tifying the persons or classes of persons
within the covered entity who need access to the formation to carry out their job duties,
the categories or types of protected health inform tion needed, and conditions appropriate
to such access. 1

Finally, a covered entity must provide a process individuals to make complaints

concerning the covered entity's policies and proc ures required by the Privacy Rule or its
compliance with such policies and procedures or th the requirements of the Privacy Rule.
45 C.F.R. i.

In this matter, the complainant alleges that the plainant's PHI was impermissiny
disclosed to a member of the complainant's famil or to an acquaintance of the complainant
or that the complainant?s PHI was otherwise impe missiny used by an employee of Tricare
West. Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR has

I related to Disclosures to Family and Friends, the
Reasonable Safeguards. 

It is our expectation that you will review these erials closely and share them with your
staff as part of the Health Insurance Portability a Accountability Act (HIPAA) training you
provide to your workforce. It is also our expectait that you will assess and determine
whether there may have been an incident of nonc mpliance as alleged by the complainant
in this matter, and, if so, to take the steps nece ry to ensure such noncompliance does
not occur in the future. Please contact OCR if yo need further information regarding the
allegations in this matter. Should OCR receive a milar allegation of noncompliance against
Tricare West in the future, OCR may initiate a for al investigation of that matter.

Based on the forgoing, OCR is closing this case wi hout further action, effective the date of
this letter. OCR's determination as stated in this tter applies only to the allegations in this
complaint that were reviewed by OCR. il

I

Under the Freedom of Information Act, we may required to release this letter and other
information about this case upon request by the blic. In the event OCR receives such a
request, we will make every effort, as permitted law, to protect information that
identi?es individuals or that, if released, could co titute a clearly unwarranted invasion of
personal privacy.

   
  
  
 

If you have any questions regarding this matter,
at (312) 353?9638 (Voice) or (312) 353-5693 

lease contact Alyce Hilden, Investigator,

Celest H. Davis
I Manager

Enclosures: Disclosures to Family and Friends
The Minimum Necessary Requirement
Reasonable Safeguards

 

 

Page3 all


    
 
   
  
  
  
  
  
  
      
   
  
   
       
 
    
    
     

The Privacy Rule does not require a health care 
with a patient?s family or friends, unless they are I patient?s personal representatives.
The iaw does permit providers and pians to share nformation with a patient's family or
friends in certain circumstance. A health care pro ider or health plan may share relevant
information with family members or friends invoivd in the patient?s health care or payment
for the patient's health care, if the patient tells th provider or plan that it can do so, or if
the patient does not object to sharing of the info ation. For example, if the patient does
not object, the patient's doctor could talk with th - friend who goes with the patient to the
hospital or a family member who pays the patient medical bill.

tion with these persons if, using its

does not object. For example, if a patient
atient, the pharmacist can assume that
medication. When the patient is not

a provider may share information with
be in the patient?s best interest.

A provider or plan may also share relevant inform
professional judgment, it believes that the patien
sends a friend to pick up your prescription for the
the patient does not object to their being given th
there or is injured and cannot give their permissi
these persons when it decides that doing so woul

  
  

actor to discuss a patient's health

Q: Does the HIPAA Privacy Rule permit a
ents with the patient's family and

status, treatment, or payment arran 

friends? 



A: Yes. The HIPAA Privacy Rule at 45 CFR 16
entities to share information that is direc?l
family members, friends, or other persons
care or payment for health care. If the pat
prior to the disclosure, and has the capaci
covered entity may discuss this infon'natio
if the patient agrees or, when given the or
entity may also share relevant information ith the family and these other persons if
it can reasonably infer, based on their pro ssional judgment, that the patient does
not object. Under these circumstances, fo xample:

.510(b) speci?cally permits covered
relevant to the involvement of a spouse,
denti?ed by a patient, in the patient?s
nt is present, or is otherwise availabie
to make health care decisions, the

with the family and these other persons
ortunity, does not object. The covered

   
   
  

- A doctor may give information about a pat nt?s mobility limitations to a friend
driving the patient home from the hospital 

A hospital may discuss a patient's paymen options with her adult daughter.

A doctor may instruct a patient's roommat about proper medicine dosage when she
comes to pick up her friend from the hospi l.

A physician may discuss a patient's treat- nt with the patient in the presence of a
friend when the patient brings the friend a medical appointment and asks if the
friend can come into the treatment room. 

I

Even when the patient is not present or it impracticable because of emergency

circumstances or the patient's incapacity the covered entity to ask the patient

about discussing her care or payment wi a family member or other person, a

covered entity may share this information ith the person when, in exercising

professional judgment, it determines that loing so would be in the best interest of
the patient. See 45 CFR Thus for example:

   

 

 

Page 4

 

A surgeon may, if consistent with such pro' ssional judgment, inform a patient?s
spouse, who accompanied her husband to :he emergency room, that the patient has
suffered a heart attack and provide periodi updates on the patient's progress and
prognosis.
A doctor may, if consistent with such pro . ional judgment, discuss an incapacitated
patient's condition with a family member er the phone.

 

   
 

 

  
      
   

 
 

In addition, the Privacy Rule expressly pe I its a covered entity to use professional
judgment and experience with common prctice to make reasonable inferences
about the patient?s best interests in aiiowi 1: another person to act on behalf of the
patient to pick up a ?lled prescription, me cal supplies, x-rays, or other similar
forms of protected health information. For xampie, when a person comes to a
pharmacy requesting to pick up a prescrip on on behalf of an individual he identi?es
by name, a pharmacist, based on professl

        
      
  
   
  
  
    

i
al judgment and experience with
common practice, may allow the person to do so.

If the patient is not present or is inert citated, may a health care provider
still share the patient's health Inform . i Ion with family, friends, or others
involved in the patient's care or paym =nt for care?

. acitated, a health care provider may
friends, or others as long as the health
ional judgment, that it is in the best

than a friend or family member is

Yes. If the patient is not present or is in
share the patient's information with family
care provider determines, based on profes
interest of the patient. When someone ot
involved, the health care provider must reasonably sure that the patient asked
the person to be invoived in his or her ca or payment for care. The heaith care

provider may discuss only the information hat the person involved needs to know
about the patient's care or payment. Here re some examples:

    
   
 
 
  
  
     
    

patient may tell the patient's spouse
nt is unconscious.
atient?s friend who the patient has sent to

A surgeon who did emergency surgery on 
about the patient?s condition while the part
A pharmacist may give a prescription to a
pick up the prescription.

A hospital may discuss a patient's bill wit
questions about charges to his mother?s a
A health care provider may give informati
patient's health aide who calls the provide
prescription.

her adult son who calls the hospital with

regarding a patient?s drug dosage to the
with questions about the particuiar

BUT:


A nurse may not tell a patient's friend abo a past medical problem that is unrelated

 

to the patient's current condition.

A health care provider is not required by
the patient is not present or is incapacitat
has an opportunity to agree to the disclos

PAA to share a patient's information when
d, and can choose to wait until the patient
re.

 

Page 5



HIPAA Privacy Rule Disclosures to a Patient? Famiiy, Friends, or Others Involved

in the Patient's Care or

avment for Care

 

Family Hember or Friend

Other Persons

 

Patient is present and has
the capacity to make
health care decisions

 

Provider may discl se
relevant informati if the
provider does one fthe

 

  
 
   
   
 
   

following: .

(1) Obtain the tient's
agreement

(2) Gives the . tient an
opportuni to object
and the pa ent does
not object;

(3) Decides the
circumstan based
on professi nal
judgment, hat the
patient :1 not
object

made in
one, or in

Disclosure may
person, over the
writing

Provider may disclose
relevant information if the
provider does one of the
following: 

(1) Obtain the patient?s
agreement;

(2) Gives the patient an
opportunity to object
and the patient does
not object;

(3) Decides from the
circumstances, based
on professional
judgment, that the
patient does not
object

Disclosure may be made in
person, over the phone, or in
writing

 

 

Patient is not present or
is incapacitated

 

judgment, the di losure is
in the patient's be it interest.

Provider may disc se
relevant inforrnati if,
based on professi a!

made in
hone, or in

Disclosure may
person, over the
writing. 

 

Provider may use
professional judg ant and
experience to dec if it is in
the patient's best nterest to
allow someone to ick up
?lled prescription medical
supplies, x-rays, other
similar forms of alth
information for th i patient.

 

Provider may disclose
relevant information if the
provider is reasonably sure
that the patient has involved
the person in the patient's
care and in his or her
professional judgment, the
provider believes the
disclosure to be in the
patient's best interest.

Disclosure may be made in
person, over the phone, or in
writing.

Provider may use
professional judgment and
experience to decide if it is in
the patient's best interest to
allow someone to pick up
?lled prescriptions, medical
supplies, X-rays, or other
similar forms of health
information for the patient.

 

 

 

THE MINIMUM necessn REQUIREMENT
45 C.F.R. 164.502(b and 164.514{d)

Page 6

Background 5,

 
  
    
  

The minimum necessary standard, a key protecti of the HIPAA Privacy Rule, is derived
from con?dentiality codes and practices in comm use today. It is based on sound current
practice that protected health information should at be used or disclosed when it is not
necessary to satisfy a particular purpose or carry ut a function. The minimum necessary
standard requires covered entities to evaluate the practices and enhance safeguards as
needed to limit unnecessary or inappropriate ac to and disclosure of protected health
information. The Privacy Rules requirements for inimum necessary are designed to be
sufficiently ?exible to accommodate the various cumstances of any covered entity.

How the Rule Works I
rs to take reasonable steps to limit the

alth information to the minimum
minimum necessary standard does not

The Privacy Rule generally requires covered entiti
use or disclosure of, and requests for, protected 
necessary to accomplish the intended purpose. 
apply to the following: 

  
  
 

 

Disclosures to or requests by a health ca provider for treatment purposes.

Disclosures to the Individual who is the su ect of the information.

Uses or disclosures made pursuant to an i ividual's authorization.

Uses or disclosures required for complianc with the Health Insurance Portability and

Accountability Act (HIPAA) Administrative impli?cation Rules.

- Disclosures to the Department of Health a Human Services (HHS) when disclosure
of information is required under the Priva Rule for enforcement purposes.

- Uses or disclosures that are required by at er law.

.00.

 
 
  

The implementation specifications for this provisi require a covered entity to develop and
implement policies and procedures appropriate fo its own organization, re?ecting the
entity's business practices and workforce. While idance cannot anticipate every question
or factual application of the minimum necessary andard to each specific industry context,
where it would be generally helpful we will seek i: provide additional clarification on this
issue in the future. In addition, the Department ll continue to monitor the workability of
the minimum necessary standard and consider pr posing revisions, where appropriate, to
ensure that the Rule does not hinder timely acc to quality health care.

Uses and Disclosures of, and Requests for, Piotected Health Information

I
For uses of protected health information, the cov ed entity's policies and procedures must
identify the persons or classes of persons within :t covered entity who need access to the
information to carry out their job duties, the cat ories or types of protected health
information needed, and conditions appropriate such access. For example, hospitals may
implement policies that permit doctors, nurses, 0 others involved in treatment to have
access to the entire medical record, as needed. se-by-case review of each use is not
required. Where the entire medical record is nece sary, the covered entity's policies and
procedures must state so explicitly and include a stification. For routine or recurring

 



 

Page 7

requests and disclosures, the policies and procedu
limit the protected health information disclosed or

res may be standard protocols and must
requested to that which is the minimum

 

necessary for that particular type of disclosure or
disclosure or request Is not required. For non-rou
entitles must develop reasonable criteria for deter
request to only the minimum amount of protected
accomplish the purpose of a non-routine disclosur
requests must be reviewed on an individual basis
limited accordingly. Of course, where protected l?i
requested by, health care providers for treatment
standard does not apply.

 

Reasonable Reliance

In certain circumstances, the Privacy Rule permi
of the party requesting the disclosure as to the 
needed. Such reliance must be reasonable under
request. This reliance is permitted when the requ

A public of?cial or agency who states that
necessary for a purpose permitted underfl
public health purposes (45 CFR 164.512(b
Another covered entity. 
A professional who is a workforce member
entity holding the information and who sta
minimum necessary for the stated purpos
A researcher with appropriate documentat
(IRB) or Privacy Board.

The Rule does not require such reliance, however
discretion to make its own minimum necessary 
standard applies.

 
   
  
   
   
 

 

Q: How are covered entities expected
necessary information that can be 
particular purpose? 

A: The HIPAA Privacy Rule requires a covered

use, disclosure of, and requests for prote
necessary to accomplish the intended pu 
flexibility to address their unique circumst
make their own assessment of what prote
necessary for a particular purpose, given 1:
workforce, and to implement policies and'
absolute standard and covered entities ne
to those that are absolutely needed to se
reasonableness standard that calls for an-
and guidelines already used by many prov

unnecessary sharing of medical informatio .

    
    
    
     
  
    
 
   

'equest. Individual review of each

ne disclosures and requests, covered
ining and limiting the disclosure or
health information necessary to

or request. Non-routine disclosures and
accordance with these criteria and

information is disclosed to, or
urposes, the minimum necessary

a covered entity to rely on the judgment
imum amount of information that is

particular circumstances of the

is made by:

information requested is the minimum
CFR 164.512 of the Rule, such as for

business associate of the covered
5 that the information requested is the

from an Institutional Review Board

and the covered entity always retains

termination for disclosures to which the

3.9m

titetermine what is the minimum

disclosed, or requested for a

entity to make reasonable efforts to limit

health information to the minimum

se. To allow covered entities the

ces, the Rule requires covered entities to
ed health information is reasonably

characteristics of their business and
cedures accordingly. This is not an

not limit information uses or disclosures
the purpose. Rather, this is a

proach consistent with the best practices
ers and plans today to limit the

 

   
   
  
 
      
 
 
 
  
 

The minimum necessary standard require covered entities to evaluate their
practices and enhance protections as need to limit unnecessary or inappropriate
access to protected health information. It intended to re?ect and be consistent
with, not override, professional judgment nd standards. Therefore, it is expected
that covered entities will utilize the input prudent professionals involved in health
care activities when developing policies an procedures that appropriately limit

access to personai health information with ut sacrificing the quality of heaith care.

 

Does the HIPAA Privacy Rule strictly hibit the use, disclosure, or request
of an entire medical record? If not, or case-hy?case justi?cations required
each time the entire medlcal record ls lsciosed?

No. The Privacy Rule does not prohibit the se, disclosure, or request of an entire
medical record; and a covered entity may se, disclose, or request an entire medical
record without a case-by-case justi?cation if the covered entity has documented in
its policies and procedures that the entire edical record is the amount reasonably
necessary for certain identi?ed purposes.
For uses, the policies and procedures woul identify those persons or classes of
person in the workforce that need to see entire medical record and the
conditions, if any, that are appropriate for uch access. Policies and procedures for
routine disclosures and requests and the teria used for non-routine disciosures and
requests would identify the circumstances nder which disclosing or requesting the
entire medical record is reasonably necess ry for particular purposes. The Privacy
Rule does not require that a justification It provided with respect to each distinct
medical record.

Finally, no justi?cation is needed in those-i stances where the minimum necessary
standard does not apply, such as disclosur to or requests by a health care provider
for treatment purposes or disclosures to individual who is the subject of the
protected health information.

No. The basic standard for minimum nece ary uses requires that covered entities
make reasonable efforts to limit access to rotected health information to those in
the workforce that need access based on eir roles in the covered entity.

The Department generally does not consid facility redesigns as necessary to meet
the reasonableness standard for minimum ecessary uses. However, covered entities
may need to make certain adjustments to eir facilities to minimize access, such as
isolating and locking file cabinets or record rooms, or providing additional security,
such as passwords, on computers maintai ng personal information.

Covered entities should also take into acco' nt their ability to configure their record
systems to allow access to only certain fiel s, and the practicality of organizing
systems to allow this capacity. For exampl it may not be reasonable for a small,

 

 

 

Page 9 i

 

solo practitioner who has largely a paper-b sed records system to limit access of
employees with certain functions to only Ii ited ?elds in a patient record, while other
employees have access to the complete rd. In this case, appropriate training of
employees may be suf?cient. Alternatively a hospital with an electronic patient
record system may reasonably implement uch controls, and therefore, may choose
to limit access in this manner to comply ed the Privacy Rule.

Reasonable Sakguards

45 can. mallsso 
A covered entity must have in place appropriate a ministrative, technical, and physical
safeguards that protect against uses and disciosu not permitted by the Privacy Rule, as
well as that limit incidental uses or disclosures. 45 C.F.R. ?164.530 It is not
expected that a covered entity's safeguards gua tee the privacy of protected health
information from any and all potential risks. Rees nable safeguards will vary from covered
entity to covered entity depending on factors, suc as the size of the covered entity and the
nature of its business. In implementing reasonabi safeguards, covered entities should
analyze their own needs and circumstances, such 5 the nature of the protected health
information it holds, and assess the potential rislt to patients? privacy. Covered entities
should also take into account the potential effects patient care and may consider other
issues, such as the ?nancial and administrative on of implementing particular
safeguards. 

     

long made it a practice to ensure
ation - for instance:

Many health care providers and professionals hav
reasonable safeguards for individuals? health info

By speaking quietly when discussing a patients condition with family members in a
waiting room or other pubiic area i
By avoiding using patients' names in publi hallways and elevators, and posting signs
to remind empioyees to protect patient co dentiaiity;
By isolating or locking ?le cabinets or recs 5 rooms; or
By providing additional security, such as sswords, on computers maintaining

 

personal information.

 
  
 
  

practice for many health care and health
titles can build upon those codes of
ired by the Privacy Rule.

Protection of patient con?dentiality is an importa I
information management professionals; covered
conduct to develop the reasonable safeguards