f?

I US. DEPARTMENT OF HEALTH HUMAN SERVICES
- Of?ce of the Regional Manager
Of?ce for Civil Rights

999 13?? Street, Suite 417
Denver, Colorado 80202
Telephone: (303) 844-2024
FAX: (303) 844-2025
TDD: {303) 844-3439

 

November 14, 2011

Stephania Grif?n

Privacy Of?cer

Veterans Health Administration
Of?ce of Health Information
810 Vermont Avenue, NW
Washington, DC. 20420

Keith Cooley, Incident Response
Department of Veterans Affairs

128 TJ. Jackson Drive

Falling Waters, West Virginia 25419

Re: Veterans Affairs, Montana Healthcare System, Ft. Harrison
OCR Transaction Number: 1 1-122628

Dear Ms. Griffin:
Mr. Cooley:

On November 9, 2010, the US Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), Region received an electronic breach report from the Veterans Affairs,
Montana Health Care System (the VA), stating that it was not in compliance with Federal
Standards for Privacy of Individually Identi?able Health Information andfor the Security
Standards for the Protection of Electronic Protected Health Information (45 Code of Federal
Regulations (C.F.R.) Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules),
and the Breach Noti?cation Rule, Subpart - Noti?cation in Case of Breach of Unsecured
Protected Health Information (45 CPR. Speci?cally, you reported that on
April 15, 2010,? the VA determined that a box containing protected health information (PHI) for
171 patients had been lost. 45 CPR. and and
164.530(c) and 

 

1 The incident date is unclear, as the report states that the breach was discovered on April
15, 2010, but it did not occur until April 30, 2010. OCR assumes that these dates were reversed
during data entry.

 

Page 2

OCR enforces the Privacy and Security Rules. OCR also enforces Federal civil rights laws,
which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

According to the VA, the Sheridan, Wyoming Veteran Medical Center (V AMC) had mailed a
package of records and billing statements from its Health Information Management department
to the Network Authorization Of?ce (NAO) at the VA warehouse address in Fort Harrison,
Montana, rather than to the actual physical address of the NAO. The box, which weighed thirteen
pounds and was addressed to the NAG, was sent on April 14, 2010, by a tracked mailing service
and a VA warehouse employee veri?ed its receipt on April 15, 2010.

A covered entity may not use or disclose PHI except as permitted or required by the Privacy
Rule, and must have reasonable safeguards in place to protect the privacy of Pl-ll.2 Following
receipt at the warehouse, the box was lost and never found. The box, which had been
intended for the NAO, was delivered to the VA warehouse as one of numerous items delivered
by the United Parcel Service. While expressing uncertainty, the VA warehouse personnel stated
that personnel might have opened the misdirected box and forwarded the contents to the NAG
through the inter-of?ce mailing system. The NAO was unable to con?rm receipt of the
documents in this manner.

As a result of the breach, the VA has revised its Mail Operations procedure and trained its staff
regarding routing and processing incoming mail. Additionally, the VA- changed the 
process for accessing the information that it needs. The immediate action taken by the NAO was
to remotely view the needed information on the VAMC server. Subsequently, the VA instituted a
new software system which provides access to scanned fee claims and medical records. The new
process allows the NAO to audit fee claims without needing paper ?les to be mailed to it.

Covered entities must report breaches of unsecured electronic PHI to the affected individuals?
On October 1, 2010, the VA noti?ed 171 patients that a breach of their PHI had occurred. A
covered entity must mitigate, to the extent practicable, any harmful effect that is known to it
resulting from an impemrissible use or disclosure of PHI.4 The VA contracted with Equifax
Personal Solutions to provide identity proteotion and credit monitoring through Equifax Credit
Watch to assist all of the potentially affected individuals, should their infonnation be misused.
Accordingly, due to the voluntary corrective actions, OCR is closing the subject
transaction effective the date of this letter.

determination as stated in this letter applies only to the allegations in the subject
complaint that OCR reviewed. Under the Freedom of Information Act, we may be required to
release this letter and other information about this case upon request by the public. In the event

 

2 45 can. 164.502(a) and 
3 45 can. and 
4 45 can. 

 

 

 

Page 3

OCR receives such a request, we will make every effort, as permitted by law, to protect
information that identi?es individuals or that, if released, could constitute a clearly unwarranted
invasion of personal privacy.

If you have any questions regarding the subject matter, please contact me at the number listed
above, or Ms. Karel Hadacek, .D., Equal Opportunity Specialist, at SOS-8444836. Thank you.

Sincerely, 



Velveta Howell
Regional Manager