5?;sz
DEPARTIHENT OF HEALTH 3: HUMAN SERVICES OFFICE OF THE SECRETARY
Voice . (are) Tor?costs, taco) sea-1019 Too - (214} 167.8940
(FAX) - (214) 757.0432 hummer-legumes Of?ce for Civil Rights, Region VI
mm? 1301 Young Street, Suite 1169
Dallas, TX 75292
{bli?llbliilicl

 

 

 

Our Transaction number: 13-151 128

 

Dear are) (nitric)

 

 

 

On October 22, 2012, the US. Department of Health and Human Services (HI-IS), Of?ce for Civil
Rights (OCR), received your complaint alleging that VA Medical Center in Miami, Fl, the covered
entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information
andfor the Security Standards for the Protection of Electronic Protected Health [nfonnation (45
C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, you
allege that, in April2012, VA Medical Center failed to safeguard patient information when your
Protected Health Information (PHI) (Le. breast images) were used by the surgeon for teaching
purposes. When you requested your images they were found unsecured in a top desk drawer. This
allegation could re?ect a violation of 45 C.F.R. 

Thank you for bringing this matter to attention. Your complaint is an integral part of 
enforcement efforts. 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

A covered entity must maintain reasonable and appropriate administrative, technical, and physical
safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy
Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or
disclosure. 45 C.F.R. For example, such safeguards might include shredding documents
containing protected health information before discarding them, securing medical records with lock
and key or pass code and limiting access to keys or pass codes.

We have carefully reviewed your complaint against VA Medical Center and have determined to
resolve this matter informally through the provision of technical assistance to VA Medical Center.
Should OCR receive a similar allegation of noncompliance against VA Medical Center in Miami,
Fl., in the future, OCR may initiate a formal investigation of that matter.

For your informational purposes, OCR has enclosed material regarding the Privacy Rule provisions
related to Safeguards.

Based on the foregoing, OCR is-closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals or
that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Karen Buckner, Investigator, at 214-
767-4510 (Voice), 214-767-8940 (TDD).

Sincerely,

  

I . oz 0
egional ager
Region VI

Enclosure: Reasonable Safeguards

Reasonable Safeguards
4S C.F.R. 164.530 (6)

A covered entity must have in place appropriate administrative, technical, and physical safeguards
that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit
incidental uses or disclosures. See 45 C.F.R. ?164.530 it is not expected that a covered entity?s
safeguards guarantee the privacy of protected health information from any and all potential risks.
Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as
the size of the covered entity and the nature of its business. In implementing reasonable safeguards,
covered entities should analyze their own needs and circumstances, such as the nature of the
protected health information it holds, and assess the potential risks to patients? privacy. Covered
entities should also take into account the potential effects on patient care and may consider other
issues, such as the ?nancial and administrative burden of implementing particular safeguards.

Many health care providers and professionals have long made it a practice to ensure reasonable
safeguards for individuals? health information for instance:

a By speaking quietly when discussing a patient?s condition with family members in a waiting
room or other public area;

0 By avoiding using patients? names in public hallways and elevators, and posting signs to
remind employees to protect patient confidentiality;

- By isolating or looking ?le cabinets or records rooms; or

It By providing additional security, such as passwords, on computers maintaining personal
information.

Protection of patient confidentiality is an important practice for many health care and health
information management professionals; covered entities can build upon those codes of conduct to
develop the reasonable safeguards required by the Privacy Rule.

 


i
it
a

ma
EARMNT OF HEALTH 8; HUMAN SERVICES OFFICE OF THE SECRETARY
Voice (214} Tait-4056, {eon} see-rots TDD - {214} rot-ease 
(Fax) - (214) rev-0432 Wm Office for Civil Rights, Region VI .
Id

3% 1301 Young Street, Suite 1169
Dallas, TX 75202

SEF 21 2013

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

VHA Privacy Implementation Coordinator

Information Access and Privacy Of?ce- 

Department of Veterans Affairs-Veterans Health Administration
810 Vermont Ave, NW

Washington DC 20420

Our Transaction Number: 13-151 128
Dear Ms. Wilson:

On October 22, 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), received a complaint alleging that the VA Medical Center in Miami, the covered
entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information
andfor the Security Standards for the Protection of Electronic Protected Health Information (45
C.F.R. Parts 160 and 164, Suhparts A, C, and E, the Privacy and Security Rules). Speci?cally, the
complainant alleges that, in April 2012, VA Medical Center failed to safeguard patient information

 

 

when libli?iimm'?' IProtected Health Information (PHI) breast images) were used by
the surgeon for teaching purposes. WhenWrequested her images they were found

unsecured in a top desk drawer. This allegation could reflect a violation of 45 CPR. 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

In this matter, the complainant alleges that the covered entity does not employ reasonable safeguards
to prevent impermissible disclosures of protected health information (PHI). A covered entity must
maintain reasonable and apprOpriate administrative, technical, and physical safeguards to prevent
intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its
incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. 45 CPR.


Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR has determined to resolve this
matter informally through the provision of technical assistance to VA Medical Center. To that end,
OCR has enclosed material explaining the Privacy Rule provisions related to Reasonable
Safeguards.

You are encouraged to review these materials closely and to share them with your staff as part of the
Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been any
noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to

ensure such noncompliance does not occur in the future. In addition, OCR encourages you to review
the facts of this individual?s complaint and provide the individual the appropriate written response
swiftly if necessary to comply with the requirements of the Privacy Rule.

Should OCR receive a similar allegation of noncompliance against VA Medical Center in Miami,
L., in the future, OCR may initiate a formal investigation of that matter. In addition, please note
that, after a period of six months has passed, OCR may initiate and conduct a. compliance review of
VA Medical Center related to your compliance with the Privacy Rule?s provisions related to
Reasonable Safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals or
that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Karen Buckner, Investigator, at 214-
767-4510 (Voice), 214-767-8940 (TDD). -

Sincerely,

   

Jo 
Regional nager
Region VI

Enclosure: Reasonable Safeguards

Version 7-29-13

Reasonable Safeguards
45 C.F.R. 164.530 

A covered entity must have in place appropriate administrative, technical, and physical safeguards
that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit
incidental uses or disclosures. See 45 CPR. ?164.530 It is not expected that a covered entity?s
safeguards guarantee the privacy of protected health information from any and all potential risks.
Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as
the size of the covered entity and the nature of its business. In implementing reasonable safeguards,
covered entities should analyze their own needs and circumstances, such as the nature of the
protected health information it holds, and assess the potential risks to patients? privacy. Covered
entities should also take into account the potential effects on patient care and may consider other
issues, such as the ?nancial and administrative burden of implementing particular safeguards.

Many health care providers and professionals have long made it a practice to ensure reasonable
safeguards for individuals? health information for instance:

0 By speaking quietly when discussing a patient?s condition with family members in a waiting
room or other public area;

0 By avoiding using patients" names in public hallways and elevators, and posting signs to
remind employees to protect patient con?dentiality;

. By isolating or locking ?le cabinets or records rooms; or

By providing additional security, such as passwords, on computers maintaining personal
information.

Protection of patient con?dentiality is an important practice for many health care and health
information management professionals; covered entities can build upon those codes of conduct to
develop the reasonable safeguards required by the Privacy Rule.

Version 7-29-13