., DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY. "i5 Voice Of?ce for Civil Rights, Region R?s-um TDD - ol 5-2296. (Slim 537-369? ZZGI Sixth Avenue. Mail Stop RX-I I - {206) (115-2297 Seattle, WA QSIZI-ISSI NOV 30 2011 Date {bli?liblillicl Andrea Wilson VHA Privacy Of?cer US. Department of Veterans Affairs Veterans Health Administration 810 Vermont Avenue, NW Washington, DC. 20420 OCR Transaction Number: 11-122489 Dear a Ms. Wilson: The US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), received a complaint alleging that the Roseburg Veterans Affairs Medical Center (RVAMC) is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, (Complainant) alleged that in September 2010, he requested an audit of his health record and discovered that RVAMC [Employee), had accessed Complainant?s medical record on several occasions. These allegations re?ected possible violations of 45 C.F.R. 164.530(c) (safeguards) and 164.502(a) (impermissible use). OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. On April 3, 2011, OCR noti?ed RVAMC of the investigation. Under the Privacy Rule, a covered entity may not use or disclose protected health information (PHI), except as permitted or required by the Privacy Rule. See 45 C.F.R. A covered entity must also have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI). See 45 C.F.R. According to RVAMC, they first became aware of the situation upon notification from Complainant who had requested a Sensitive Patient Access Report (Audit) which showed that Employee had accessed his record on three occasions. RVAMC stated that this incident prompted additional review and it was determined that Employee had also accessed other records outside the scope of her official duties. Transaction No. 11-12489 Page 2 Based on investigation, RVAMC found that Employee had taken the Veteran?s Health Administration Privacy Policy training and the Privacy and Information Security Awareness training classes multiple times. Despite her training, she had accessed patient records without a need to know. As such, Employee was reprimanded according to RVAMC policy. During the course of this investigation, OCR reviewed policies and procedures regarding safeguarding PHI as well as uses and disclosures of PHI. RVAMC appears to have appropriate safeguards in place, including annual training and audit controls. In this matter, RVAMC provided OCR with audit results of Complainant?s record and of Employee?s system accesses. OCR also reviewed documentation of the sanctions process regarding Employee. Based upon response, we have determined that no further OCR action is required. Therefore, OCR is closing this case. determination as stated in this letter applies only to the issues in the complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please do not hesitate to contact Emily Cameron, Investigator, at 206-615- 3873 (Voice) or 206-615?2296 (TDD). When contacting this of?ce, please remember to include the transaction number that we have given this ?le. That number is located in the upper left-hand comer of this letter. Sincerely, (A: WM gram-PH Lmda Yuu Connor Regional Manager