of ?mm 4 some?. i? ?52- DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY voice - {415) 43?-8310, (800} 368-1019 Of?ce for Civil Rights, Region TDD - (415} 43?-8311. {300) ear-res? 90 7? Street, Suite 4-100 (FAX) {415} 437-3329 San Francisco, California 94103 ~13? ?rst! October 23, 2013 Our Reference Number: 13-167066 DE (mourns?) On September 12, 2013, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received your complaint alleging a violation of the Federal Standards for Privacy of Individually Identifiable Health Information andr'or the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, you alle that North Valley Plastic Surgery posted the patient private health information of your son, (bifeiuibimfci on a public web-biog, YELP, without consent. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. The Privacy Rule permits covered entities to use and disclose patient protected health information (PHI) only when it is for purposes related to treatment, payment, or health care operations. See 45 CFR A covered entity is a health plan, health care clearinghouse, or health care provider that electronically transmits health information according to HHS standards. The Privacy Rule defines PHI as any individually identifiable health information (Ill-ll) that is electronically transmitted or maintained as part of a patient?s medical record. includes but is not limited to any demographic information, such as name or address, created or received by a covered entity that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Based upon our review of your correspondence, OCR has advised the covered entity of the concerns described in your complaint. The facility has been provided with technical assistance on appropriate disclosures of patient protected health information under the Privacy Rule. If in the future, the covered entity fails or refuses to take steps to address this concern based upon the technical assistance provided by OCR, we may need to contact you in connection with a formal investigation. It has been our experience, however, that health care providers are generally responsive to privacy concerns raised in this context. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have anyr questions or require technical assistance, please contact the office at (415) 437?83 10. Sincerely, KMWM Michael Leoz Regional Manager of ?mm 4 starlet-L i? ?52- DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY voice - {415) 43?-8310, (800} 368-1019 Of?ce for Civil Rights, Region TDD - (415} 4315311. (300) so Street, Suite 4-100 (FAX) {415} 437-3329 San Francisco, California 94103 ?ber?! October 23, 2013 Privacy Officer North Valley Plastic Surgery 20950 N. Tatum Blvd, Ste. 150 Phoenix, AZ 85050 Our Reference Number: 13-167066 Dear On September 12, 2013, the US. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of Individually Identifiable Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information {45 CPR. Parts 160 and 164 Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the complainant alleges that North Valley Plastic Surgery impermissibly disclosed confidential information by posting the patient health information of his son on a public online web-blog, YELP, without consent. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. Under the Privacy Rule, a covered entity generally may disclose protected health information (PHI) only for purposes of treatment, payment, or health care operations. See 45 CFR A covered entity may not confirm or deny that a particular person was, in fact, a patient, or disclose any other individually identifiable health information (IIHI) including but not limited to demographic information such as name or address. The Privacy Rule plainly states that patient PHI is any IIHI maintained by a covered entity as part of a patient?s medical record. Therefore, you may wish to remove any specific information about current or former patients from your web-biog. For additional examples and general information about the Privacy Rule, please visit the requentiy Asked Questions page of our website, It is not our intention to undertake a formal investigation of this matter at this time. We ask however that your Privacy Officer examine this issue to ensure that the facility is fully complying with its internal privacy policies and practices, and, if necessary, to take corrective action to reinforce your practices as they relate to this incident. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we Twill make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions or require technical assistance, please contact the of?ce at (415) 437? 8310. Sincerely, Wand-Ag?? Michael Leoz Regional Manager