if was?. E. DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY it Voice . (214) ire-moss, 363?1019 mo {214} 767-3940 Dmce for Civil Rights, Regienw ?5 FAX- [El-t} 161-0432 Widen! 130! Young 5mm, Suite use ?than DallasJ'X 3202 MAR 2 i 201'! {biltaliblti'ltcl OCR Transaction Number: 14- 7'4?03 ea]- On January 14, 2014, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), Region VI, received your complaint alleging that Michael E. DeBakey VA Medical Center (the ?Center"), the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, you allege that the Center maiied another patient?s protected health information (PHI) to your husband. This allegation could re?ect a violation of 45 C.F.R. and You further alleged that once you contacted the Center to express your concerns, no one was able to provide a contact person for you to speak with regarding the misdirected mail. This allegation could re?ect a violation of 45 C.F.R. 16453061). Thank you for bringing this matter to attention. Your complaint plays an integral part in enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces the Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. The Privacy Rule allows health care providers and health plans to share protected health infonnation (PHI) for permitted purposes using the mail or fan, as long as they use reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of the See 45 CPR. These safeguards may vary depending on the mode of communication used. For example, when faxing PHI to a telephone number that is not used regularly, a reasonable safeguard may involve a covered entity ?rst con?rming the fax number with the intended recipient of the fax. As also explained at 45 C.F.R. 164.530 A covered entity must provide a process for individuals to make complaints concerning the covered entity's policies and procedmes required by this subpart and subpart of this part or its compliance with such policies and procedures orthe requirements of this subpart or subpart of this part. We have carefully reviewed your complaint against the Center and have determined to resolve this matter infonnally through the provision of technical assistance to the Center. Should OCR receive a similar allegation of noncompliance against the Center in the future, OCR may initiate a formal investigation of that matter. Based on the foregoing, OCR is closing this case without ?lrther action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Tal?Mon Hubbard, Investigator, at (214) 767-3768 (Voice) or (214) 767-3940 (TDD). Sincerely, Jorge A. Lozano Regional Manager gm. ammo DEPARTMENT OF HEALTH HUMAN SEIWICES OFFICE OF THE SECRETARY Voice? (214', sauces. (soc) ass 1019 TDD {21437613940 Of?ce for Civil Rights, Region VI Farr [214) tarmac not Young Street, suite 1159 Dallas, Tx assoc MARZIZWI Ms. Andrea Wilson, RHIA, CIPP, VHA Privacy Implementation Coordinator Information Access and Privacy Of?ee- 1013001 Department of Veterans Affairs-Veterans Health Administration 310 Vermont Ave, NW I Washington DC 20420 OCR Transaction Number: 14474708 Dear Ms. Wilson: On January 14, 2014, the US. Department of Health and Human Services Office for Civil Rights (OCR), Region VI. received a complaint alleging that Michael E. DeBakey VA Medical Center (the the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information 45 CPR. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, the complainant, alle ed that the Center mailed another patient?s protected health information (PHI) to her husband (breasts) This allegation could re?ect a violation of 45 C.F.R. 164.502(a) and She further allegedthat once she contacted the Center to express her concerns, no one was able to provide a contact person for her to speak with regarding the misdirected mail. This allegation could re?ect a violation of 45 C.F.R. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces the Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. Generally, the Privacy Rule permits a covered entity to make disclosures of protected health information (PHI) fora permitted purpose, through a variety of means, such as by mail or facsimile machine, as long as the covered entity, when doing so, uses reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of the PHI. See 45 CPR. These safeguards may vary depending on the mode of communication used. For example, when farting PHI to a telephone number that is not used regularly, a reasonable safeguard may involve a covered entity fil'St confirming the fax number with the intended recipient of the fax. As also explained at 45 CPR. 164.5 30 A covered entity must provide aprocess for individuals to make complaints concerning the covered entity?s policies and procedures required by this subpart and subpart of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart of this part. In this matter, the complainant alleges that PHI was impermissiny disclosed either through the mail or by fax. Pursuant to its authority under 45 CPR. 160.304(a) and OCR has determined to resolve this matter informally through the provision of technical assistance to the Center. To that end, OCR has enclosed a checklist of reminders on how to safely use the mail or fax machines when sending PHI. You are encouraged to review these materials closely and to share them with your staff as part of the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your workforce. You are also encouraged to assess and determine whether there may have been an incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to ensure such noncompliance does not occur in the future. Please contact OCR if you need further information regarding the allegations in this matter. Should OCR receive a similar allegation of noncompliance against the Center in the ?Jture, OCR may initiate a formal investigation of that matter. Based on the forgoing, OCR is closing this case without ?nther action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such arequest, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Tal?Mon Hubbard, Investigator, at (214) 767-3 768 (Voice) or (214) 767-3940 (TDD). Sincerely, Jorge A. Lozano 5 Regional Manager Enclosure: Checklist May a physician?s of?ce or health plan use mail or fax to send patient medical information? Yes. Where the Privacy Rule allows covered health care providers, health plans, or health care clearinghouses to share protected health information with another organization or with the individual, they may use a variety of means to deliver the information, as long as they use reasonable safeguards when doing so. When the communications are in writing, the patient information may be sent by mail, fax, or other means of reliable delivery. The Privacy Rule requires that covered entities apply reasonable safeguards when making these communications to protect the patient information from inappropriate use or disclosure to unauthorized persons. These safeguards will vary depending on the mode of communication used. For example, when mailing patient information, reasonable safeguards would include checking to see that the name and address of the recipient are correct and current and that only the minimum amount of patient information is showing on the outside of the envelope to ensure proper delivery to the intended recipient. When faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard would include ?rst con?rming the fax number with the intended recipient. Similarly, a covered entity may pro-program frequently used numbers directly into the fax machine to avoid misdirecting the information to someone who is not the intended recipient. The following checklists provide guidance on reasonable safeguards that a covered health care provider, health plan, or health care clearinghouse may put in place to protect patient information from being impermissiny disclosed during l) mailing and (2) faxing. See 45 CPR. MAILING CHECKLIST El Carefully check name and address of intended recipient. Many names are similar; make sure you have the correct name for the intended recipient on the envelope. Make sure the address on the envelope matches the correct address of the intended recipient. El Carefully check the contents of the envelope before sealing. Make sure the contents may be permissiny disclosed to the intended recipient or properly relate to the individual. Check all pages to make sure records or material related to other individuals are not mistakenly included in the envelope. Check the information showing on the outside of the envelope or through the address window. Make sure identifying information that is not necessary to ensure proper delivery is not disclosed. El When doing mass mailings, do a test run to ensure the system is properly performing and check at least a sample of the mailings for the accuracy of name and address of the intended recipients and the correct contents, as indicated above, before sending. El Have policies and procedures in place to safeguard protected health information that is mailed, including processes to act on (1) name and address changes to ensure corrections are made in all the relevant records; and (2) reports of misdirected mail to identify the cause and take steps to prevent future incidents. Train staff on the mailing procedures that your organization has put in piace to safeguard protected health information during mailing. Update the training periodically and be sure to train new staff. FAXING CHECKLIST Carefully check the fax number to make sure you have the correct number for the intended recipient. When manually entering the number, check to see that it has been entered correctly before sending. Con?rm fax number with the intended recipient when faxing to this party for the ?rst time or if the fax number is not regularly used. Program regularly used numbers into fax machines. Check to make sure you are selecting the preprogrammed number for the correct party before sending. Update fax numbers upon receipt of noti?cation of correction or change. Have procedures for deleting outdated or unused numbers which are preprogrammed into the fax machine. Locate fax machines in areas where access can be monitored and controlled and avoid leaving patient information on fax machines after sending. Have policies and procedures in place to safeguard protected health information that is faxed, including processes to act on (1) changes in fax numbers to ensure corrections are made in all the relevant records; and (2) reports of a misdirected fax to identify the cause and take steps to prevent future incidents, including revising the organization's policies and procedures. Train staff on the policies and procedures for the proper use of fax machines that your organization has put in place to safeguard protected health information during faxing. Update the training periodically and be sure to train new staff.