J?gl??p

?Ml-rill
?e

tr.?

OFFICE OF THE SECRETARY

Of?ce for Civil Rights, Region IV
61 Street, 8. W.

Atlanta Federal Center. Suite 
Atlanta, GA 30303-89139

DEPARTMENT or HEALTH a HUMAN 

Voice- (404) 5523306. {300) 3684019
TDD- {404) 562J384. {300} 
(FAX) {404} 552-7331
hhs. govlocn?

4
?an

August 3, 2011

 



 

 

 

Ms. Shonta Wright

Privacy Officer

VA Medical Center Durham
508 Fulton Street

Durham, NC 27'705

 

lv. VA Medical Center Durham
OCR Transaction Number: 1 1-122994

Re:

 


Dear

 

 

and Ms. Wright:

 

On January 6, 201 l, the US. Department ofHealth and Human Services (HHS), Office for Civil
Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of
Individually Identi?able Health Information (45 CPR. Parts 160 and 164, Subparts A and E, the
Privacy Rule). Speci?cally, the complaining party, lleges that an
employee at Durham VAMC, released 196 pages of her medical record to Wake Technical
Community College. lfurther alleges that did not have her
consent, nor was authorized, to release her protected health information. These allegations could
re?ect violations of 45 CPR. respectively.

OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit
discrimination in the delivery of health and human services because of race, color, national
origin, disability, age, and under certain circumstances, sex and religion.

The Privacy Rule states that a covered entity may not use or disclose protected health
information, except as permitted or required by the Rule. See 45 CFR The
Privacy Rule states, in part, that a covered entity must identify those persons or classes of
persons, as appropriate, in its workforce who need access to PHI to carry out their duties; for
each such person or class of persons, the category or categories of PHI to which access is needed
and any conditions appropriate to such access; and a covered entity must make reasonable efforts
to limit the access of such persons or classes to consistent with the requirements of this
provision. See 4'5 GER. The Privacy Rule mandates that a covered entity must
have in place appropriate administrative, technical and physical safeguards to protect the privacy

of protected health information. See 45 GER. 

In a written response to request for information, Shonta Wright, Privacy Of?cer, reported
that the covered entity conducted a full investigation into the allegations raised by
The covered entity included in its report a full summary of its internal investigation,
which affirmed the allegations raised by Complainant. Speci?cally, the covered entity concluded
that a Release of Information Clerk released progress notes and consultation reports to Wake
Technical Community College without an authorization. Pursuant to investigation and in
conjunction with the covered entity?s investigation, OCR found that a violation occurred, as
alleged. This ?nding was based on a review of the entire evidentiary record compiled pursuant

to the Complainant?s claim.

In light of ?nding, the covered entity provided OCR with written assurances of the
following corrective action to address the breach in Complainant?s PHI: The covered entity
rectified this violation by meeting with the offending employee and applying sanctions pursuant
to its sanction?s policy. Further, the offending workforce member was subsequently re-trained on
the Privacy Rule. The covered entity provided written assurance that it contacted the
Complainant, noti?ed her of the breach, apologized for the breach, and offered her an
opportunity to enroll in an Equifax Credit Watch Gold protection. On July 8, 201 l, the
Complainant con?rmed these corrective actions in a telephone conversation with the
Investigator, John Bailey.

Based on the reported actions taken by the covered entity, all matters raised by this complaint at
the time it was ?led have now been resolved through the voluntary compliance actions of the
covered entity. Theretbre, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR. OCR only reviewed the evidence submitted pertinent to resolving the
issues raised in the complaint.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact John Bailey, Investigator, at (404) 562-7866 (Voice) or
(404) 562-7884 (TDD).

 

Roosevelt Freeman