tm

 

a? a.
if DEPARTMENT OF HEALTH ah HUMAN SERVICES OFFICE OF SECRETARY
Voice TDD- (r 14) tar?rain Of?ce for Civil Rights, Region VI
FAX - (2 ill) ?Ml-0432  Bill You Street, Suite 1169

oim?n'o

?its,? Ballasts-tam

August 12, 2014

 

{bllIGL-CbliTIiC-l

 

 

 

OCR Transaction Number: 14- 1 86282

Dear 

On June 23, 2014, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), received your complaint alleging that Raymond G. Murphy VA Healthcare Medical
Centen the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able
Health Information andfor the Security Standards for the Protection of Electronic Protected Health
Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules).
Speci?cally, you alleged that in a letter dated February 11, 2014, and another letter dated
May 28, 2014, you requested a ?tll accounting of disclosures to the Privacy Of?cer at the facility-
You alleged you put your requests in writing, personally delivered them, and that the Privacy Of?cer
signed oifon receiving your requests. You alleged that you have not received a response to these
requests. These allegations could reflect a violation of 45 C.F.R. 164.528.

Thank you for bringing this matter to attention- Your complaint is an integral part of 
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights laws
which prohibit discrimination in the delivery of health and human services because of race, color,
national origin, disability, age, and under certain circumstances, sex and religion.

The Privacy Rule requires that covered entities provide an individual with an accounting of
disclosures for a period of up to 6 years from the date of the request, with certain exceptions. The
covered entity must provide such an accounting within 60 days of the date of the request.

We have carefully reviewed your complaint against Raymond G. Murphy VA Healthcare Medical
Center and have determined to resolve this matter through the provision of technical assistance to
Raymond G. Murphy VA Healthcare Medical Center. Should OCR receive a similar allegation of
noncompliance against Raymond G. Murphy VA Healthcare Medical Center in the future, OCR may
initiate a formal investigation of that matter.

For your informational purposes, OCR has enclosed material regarding the Privacy Rule provisions
related to your right to an accounting of your medical records.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request, we
will make every effort, as permitted by law, to protect information that identi?es individuals or that,
if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Valerie Montoya, Investigator, at
(214) 767-1717 (Voice) or (214) 767-8940 (TDD).

Sincerely,

 

Enclosure: Accounting of Disclosures

ACCOUNTING or DISCLOSURES
45 C.F.R. 164.523

How the Rule Works

The Privacy Rule generally requires covered entitles to provide an accounting of disclosures
of protected health information (PHI) to an individual who requests one. The individual may
request an accounting of disclosures made in the 6 years prior to the date of the request, or
for any time period less than 6 years. The requirement in the Rule contains several
exceptions, so that not all disclosures of PHI must be included in the accounting. The
following types of disclosures are not required to be included in an accounting:

0 To carry out treatment, payment and health care operations as provided in
45 C.F.R. 164.506
- To individuals of protected health information about them as provided in
45 164.502
0 Incident to a use or disclosure otherwise permitted or required by the Privacy Rule,

as provided in 45 C.F.R. 164.502

Pursuant to an authorization as provided in 45 C.F.R. 164.508

For the facility?s directory or to persons involved in the individual's care or other
noti?cation purposes as provided in 45 C.F.R. 164.510

For national security or intelligence purposes as provided in 45 C.F.R.

To correctional institutions or law enforcement of?cials as provided in 45 C.F.R.


As part of a limited data set in accordance with 45 C.F.R. 164.514(e)

The implementation speci?cations for this provision require a covered entity to include
disclosures to or by business associates of the covered entity.

The accounting must include for each disclosure: The date of the disclosure; (ii) The
name of the entity or person who received the PHI and, if known, the address of such entity
or person; A brief description of the PHI disclosed; and (iv) A brief statement of the
purpose of the disclosure that reasonably informs the individual of the basis for the
disclosure or, in lieu of such statement, a copy of a written request for disclosure under 45
C.F.R. or 164.512, if any.

If, during the period covered by the accounting, the covered entity has made multiple
disclosures of PHI to the same person or entity for a single purpose under 
or 164.512, the accounting may provide the information required for the
first disclosure during the accounting period; and the frequency, periodicity, or number of
the disclosures made during the accounting period; and the date of the last such disclosure
during the accounting period.

If the covered entity has made disclosures of PHI for a particular research purpose in
accordance with 164.5120) for 50 or more individuals, the accounting may, with respect
to those disclosures for which the PHI about the individual may have been included, provide
to the individual: (A) The name of the protocol or other research activity; (B) A description,
in plain language, of the research protocol or other research activity, including the purpose
of the research and the criteria for selecting particular records; (C) A brief description of the
type of protected health information that was disclosed; (D) The date or period of time
during which such disclosures occurred, or may have occurred, including the date of the last
such disclosure during the accounting period; (E) The name, address, and telephone

Version 7-29-13

number of the entity that sponsored the research and of the researcher to whom the
information was disclosed; and (F) A statement that the protected health information of the
individual may or may not have been disclosed for a particular protocol or other research

activity.

If the covered entity provides an accounting for research disclosures, and if it is reasonably
likely that the PHI of the individual was disclosed for such research protocol or activity, the
covered entity shall, at the request of the individual, assist in contacting the entity that
sponsored the research and the researcher.

The covered entity must act on the individual's request for an accounting no later than 60
days after receipt of such a request. 45 C.F.R. 164.528 If the covered entity is
unable to act upon the request within this time period, it may extend the time to respond by
no more than 30 days provided that the covered entity, no later than 60 days after the
receipt of the request, provides the individual with the reason(s) for the delay in writing and
the date by which the covered entity will provide the accounting. The covered entity may
have only one such extension of time for action on a request for an accounting.

The covered entity must provide the first accounting to an individual in any 12 month period
without charge. The covered entity may impose a reasonable, cost-based fee for each
subsequent request for an accounting by the same individual within the 12 month period,
provided that the covered entity informs the individual in advance of the fee and provides
the individual with an opportunity to withdraw or modify the request for a subsequent
accounting in order to avoid or reduce the fee.

A covered entity must document information about all accountings for a period of 6 years
from the date of the accounting. See 45 C.F.R. 164.528(d) for details.

A covered entity must temporarily suspend an individual's right to receive an accounting of
disciosures to a health oversight agency or law enforcement of?cial, as provided in 45
C.F.R. 164.512(d) or respectively, for the time speci?ed by such agency or of?cial,
if certain conditions are met. See 45 C.F.R. details.

Version 7-29-13

Men.
3., a; DEPARTMENT OF HEALTH 8: HUMAN SERVICES ICE OF THE SECRETARY

 

c?m?mc

Voice (300)368?1019 run - {21437618940 Of?ce for Civil Rights, Region VI
FAX . :2 Id) 7814143: Williams 1301 Young Street, Suite 1169
Dallas, Tit 75201
August 11, 2014

Andrea Wilson, RHIA, CIPP, 

VHA Privacy Implementation Coordinator

Information Access Privacy Of?ce- 

Department of Veterans Affairs- Veterans Health Administration
810 Venuont Avenue, NW

Washington, DC 20420

OCR Transaction Number: 1 4-1 86282
Dear Ms. Wilson:

On June 23, 2014, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), received a complaint alleging that Raymond G. Murphy VA Healthcare Medical
Center, the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able
Health Information andr?or the Security Standards for the Protection of Electronic Protected Health
Information 45 C.F.R.. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules).
Speci?cally, alleged that in a letter dated February 1 I, 2014, and another letter
dated May 28, 2014, he requested a full accounting of disclosures to the Privacy Officer at the
covered entity. alleged he put his requests in writing, personally delivered them, and that
the Privacy Officer signed off on receiving his requests. He alleged that he has not received a
response to these requests. These allegations could re?ect a violation of 45 CPR. 164.528.

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rides, and also Federal civil rights laws
which prohibit discrimination in the delivery of health and human services because of race, color,
national origin, disability, age, and under certain circumstances, sex and religion.

In this matter, the complainant alleges that the covered entity failed to provide an accounting of
disclosures. The Privacy Rule requires that covered entities provide an individual with an
accounting of disclosures for a period of up to 6 years from the date of the request, with certain
exceptions. 45 CPR. 164.528. The covered entity must provide suchan accounting within 60 days
of the date of the request.

Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR has determined to resolve this
matter through the provision of technical assistance to Raymond G. Murphy VA Healthcare Medical
Center. To that end, OCR has enclosed material explaining the Privacy Rule provisions related to
Accounting of Disclosures.

You are encouraged to review these materials cioscly and to share them with your staff as part of the
Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been any
noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to
ensure such noncompliance does not occur in the future. In addition, OCR encourages you to review
the facts of this individual request for an accounting and provide the individual the appropriate
written response swiftly if the request meets the requirements of the Privacy Rule. Should OCR

receive a similar allegation of noncompliance against Raymond G. Murphy VA Healthcare Medical
Center in the future, OCR may initiate a formal investigation of that matter. In addition, please note
that, after a period of six months has passed, OCR may initiate and conduct a compliance review of
Raymond G. Murphy VA Healthcare Medical Center related to Raymond G. Murphy VA Healthcare
Medical Center?s compliance with the Accounting provisions of the Privacy Rule.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request, we
will make every effort, as permitted by law, to protect information that identi?es individuals or that,
if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Valerie Montoya, Investigator, at
(214) 767?1717 (Voice) or (214) 767-#8940 (TDD).

   
  

orge A. Lozano
Regional Manage

Enclosure: Accounting of Disclosures

ACCOUNTING or DISCLOSURES
45 C.F.R. 164.528

How the Rule Works

The Privacy Rule generally requires covered entities to provide an accounting of disclosures
of protected health information (PHI) to an individual who requests one. The individuai may
request an accounting of disclosures made in the 6 years prior to the date of the request, or
for any time period less than 6 years. The requirement in the Rule contains several
exceptions, so that not all disclosures of PHI must be included in the accounting. The
following types of disclosures are not required to be included in an accounting:

- To carry out treatment, payment and health care operations as provided in
45 C.F.R. 164.506
- To individuals of protected health information about them as provided in
45 C.F.R. 164.502
- Incident to a use or disclosure otherwise permitted or required by the Privacy Rule,

as provided in 45 C.F.R. 164.502
- Pursuant to an authorization as provided in 45 164.508

0 For the facility's directory or to persons involved in the individual's care or other
noti?cation purposes as provided in 45 C.F.R. 164.510

- For national security or intelligence purposes as provided in 45 C.F.R.


- To correctional institutions or law enforcement of?cials as provided in 45 C.F.R.


- As part of a limited data set in accordance with 45 C.F.R. 164.514(e)

The impiementation speci?cations for this provision require a covered entity to include
disclosures to or by business associates of the covered entity.

The accounting must include for each disclosure: The date of the disclosure; (ii) The
name of the entity or person who received the PHI and, if known, the address of such entity
or person; A brief description of the PHI disclosed; and (iv) A brief statement of the
purpose of the disclosure that reasonably informs the individual of the basis for the
disclosure or, in lieu of such statement, a copy of a written request for disclosure under 45
C.F.R. or 164.512, if any.

If, during the period covered by the accounting, the covered entity has made multiple
disclosures of PHI to the same person or entity for a single purpose under 
or 164.512, the accounting may provide the information required for the
?rst disclosure during the accounting period; and the frequency, periodicity, or number of
the disclosures made during the accounting period; and the date of the last such disclosure
during the accounting period.

If the covered entity has made disclosures of PHI for a particular research purpose in
accordance with 164.512(i) for 50 or more individuals, the accounting may, with respect
to those disclosures for which the PHI about the individual may have been included, provide
to the individual: (A) The name of the protocol or other research activity; (B) A description,
in plain language, of the research protocol or other research activity, including the purpose
of the research and the criteria for selecting particular records; (C) A brief description of the
type of protected health information that was disclosed; (D) The date or period of time
during which such disclosures occurred, or may have occurred, including the date of the last
such disclosure during the accounting period; (E) The name, address, and telephone
number of the entity that sponsored the research and of the researcher to whom the

information was disclosed; and (F) A statement that the protected health information of the
individual may or may not have been disclosed for a particular protocol or other research
activity.

If the covered entity provides an accounting for research disclosures, and if it is reasonably
likeiy that the PHI of the individual was disclosed for such research protocol or activity, the
covered entity shall, at the request of the individual, assist in contacting the entity that
Sponsored the research and the researcher.

The covered entity must act on the individuai?s request for an accounting no later than 60
days after receipt of such a request. 45 C.F.R. 164.528 If the covered entity is
unable to act upon the request within this time period, it may extend the time to respond by
no more than 30 days provided that the covered entity, no later than 60 days after the
receipt of the request, provides the individual with the reason(s) for the delay in writing and
the date by which the covered entity will provide the accounting. The covered entity may
have only one such extension of time for action on a request for an accounting.

The covered entity must provide the ?rst accounting to an individual in any 12 month period
without charge. The covered entity may impose a reasonable, cost-based fee for each
subsequent request for an accounting by the same individual within the 12 month period,
provided that the covered entity informs the individual in advance of the fee and provides
the individual with an opportunity to withdraw or modify the request for a subsequent
accounting in order to avoid or reduce the fee.

A covered entity must document information about all accountings for a period of 6 years
from the date of the accounting. See 45 C.F.R. 164.528(d) for details.

A covered entity must temporarily suspend an individual?s right to receive an accounting of
disclosures to a health oversight agency or law enforcement of?cial, as provided in 45
C.F.R. 16451201) or respectively, for the time speci?ed by such agency or of?cial,
if certain conditions are met. See 45 C.F.R. details.