a? W?s. DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY veiee - (415} 437-3310, {see} seems Of?ce for Civil Rights, Region it TDD - {415} 4sr-ss11. (soc) ear-rear so Street, Suite 4-100 (FAX) - {415} 437-3329 San Francisco, California 94103 Rama? January 31, 2012 {bli?libliillcl Sent Via Ms. Andrea Wilson VHA Privacy Of?ce Manager VHA Privacy Of?ce (10P2C1) 810 Vermont Ave. NW. Washington, DC 20420 OCR Reference number: 11 422530 e. . Dear igli mm and Ms. Wilson: On January 6, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), received a complaint from (?Halibmm icomplainant), alleging a violation of the Federal Standards for Privacy of Individually Identr 1a Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and the Privacy and Security Rules). Speci?cally, alleged that on July 19, 2010, impermissiny accessed his medical record. The complainant alleged that he formerly worked in the same building am and she had no legitimate reason to access his records other than to be a snoop. This allegation could re?ect a violation of 45 CPR. I OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. In enforcing the Privacy Rule, OCR is required, by the regulation, to attempt, whenever possible, to resolve matters arising from complaints by informal means [45 CPR. On May 19, 201 l, OCR noti?ed the covered entity of this complaint. On June 20, 201], OCR received the written response to the allegation. The covered entity responded that the complaint was valid. It reported that based on an internal investigation related to a complaint it received directly from the complainant, it had substantiated the allegation that the workforce member had used the complainant?s medical record without a permissible reason to do so. The covered entity stated that'when questioned about why the workforce member had gone into the record, the workforce member had responded that she was concerned about the complainant?s welfare. In response to this incident the covered entity ?led a breach report with OCR, and sent a breach noti?cation letter to the complainant on December 6, 2010, discussing the results of its investigation and measures taken as a result of this incident. The covered entity stated in the 11- 122580 Page 2 letter that the incident highlighted an area that work-force members may need additional training in. It also reported that based on the work-force member?s record, the sanction in this matter was a verbal counseling. On December 8, 2010, the complainant was sent another letter from the covered entity offering a free credit monitoring and identity theft protection service for one year. Both letters contained an apology to the complainant. As part of OCRs investigation, OCR was in communication with the complainant, and interviewed several workforce members at the covered entity including told OCR that she was unaware that she could not access the complainant?s record. She said that she was aware that a work-force member could not discuss or disclose information, but she said she was unaware that she could not look. She said that the complainant had worked with her in the past. She told OCR that she had heard the complainant had died and that she thought if this were true, it would be in his medical record. She acknowledged regret about this incident and stated that she did not intend to cause any harm or distress to the complainant. She also con?rmed that she received additional training in regard to the permissible uses of PHI, and understands permissible uses. The privacy of?cer told OCR that this incident highlighted the need to provide additional training for workforce members regarding permissible uses of protected health information. Additional training was provided to the individual workforce member and the entire department on January 25, 2011. Evidence of this training was provided to OCR. The privacy of?cer also reported that she has developed materials in this regard as part of the new employee orientation. One interviewee reported that the workforce member received a verbal counseling and that a write up was placed in her personnel record for six months. There is no current evidence of a write up in the workforce member?s record, but six months has elapsed from the time of the sanction. The privacy of?cer confmned the verbal counseling. OCR reviewed the covered entity?s privacy policies and sanctions policy. A covered entity may not use or disclose PHI except as permitted by the Privacy Rule. The Privacy Rule allows disclosures for treatment, payment, and healthcare operations, 45 CFR and other disclosures with the patient's written authorization. OCR has reviewed the matter raised in the complaint. The matter raised by this complaint at the time it was ?led has now been resolved through the voluntary compliance actions of the covered entity which included a sanction of the workforce member, the provision of additional workforce training, mitigation of the disclosure through the offering of credit and identity protection, and an apology to the complainant. Therefore, OCR is closing this complaint. determination, as stated in this letter, applies only to the allegation in this complaint that was reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. 11- 122580 Page 3 If you have any questions regarding this matter, please contact the investigator assigned to this case at 415-437-8406, or our of?ce at (415) 4318310. Sincerely, Michael Lee: Acting Regional Manager