game; 51, 4. DEPARTMENT OF HEA LTH LIMA SERVICES OFFICE OF THE SECRETARY Voice FAX - {215) 351.4431 Of?ce for Civil Rights, Region ill 15% S. independence Mall ?Wt?st Public Ledger Building- Suite 312 Philadelphia, PA 191ll?~3499 May 9, 2011 Ms. Leslie Shaffer TMA Privacy O?icer Tricare Management Activity Privacy Office Skyline 5, Suite 180 5111 Leesburg Pike Falls Church, Virginia 22041 Transaction Number: 11423557 and Ms. Shaffer: Dear The Department of Health and Human Services Of?ce for Civil Rights (OCR) received a complaint on February 9, 2011, alleging that the United States Army Dental Clinic in Vilseclt Germany (covered entity) is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the complainant alleges that the covered entity?s employee impermissiny obtained and irnpermissibly released his protected health information. These allegations could re?ect violations of 45 CPR. 164.502 uses and disclosures, and 164.530 safeguards, respectively. OCR enforces the Privacy Rule, and also enforces federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability and age. On February 18, 2011, OCR noti?ed the covered entity of the complaint ?led against it. investigation revealed that the covered entity?s employee impermissiny accessed the complainant?s medical information. However, investigation did not reveal that the employee inappropriately provided the protected health information to the investigation revealed that the covered entity?s employee accessed the complainant?s Expiration of Terms of Service (ETS) orders with the intention of discerning whether or not the complainant?s children were included in the ETS orders. The Privacy Rule, at 45 requires that a covered entity must train the members of its workforce on the policies and procedures with respect to protected health informatitm as necessary and appropriate to carry out their function within the covered entity. OCR found that the covered entity?s employee completed the covered entity?s Privacy Act and HEPAA Clinical Training on June 29, 2010. The Privacy Rule at 45 C.F.R. provides that a covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity. Based upon this complaint, on November 29, 2010, the covered entity imposed disciplinary sanctions against the offending employee. The Privacy Rule under 45 164.530(f) provides that a covered entity must mitigate to the extent practicable any harmful effect that is known to the covered entity as a result of an impermissible use or disclosure of protected health information. OCR found that on November 30, 2010, the covered entity apologized to the complainant for any violation of the complainant?s privacy. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance and corrective actions of the covered entity. 'Iherefore, OCR is closing this complaint. determination as stated in this lette? applies only to the allegations in this complaint that OCR reviewed. Please note, however, that the closure of this investigation does not remove the obligation to comply with breach noti?cation rules under 45 C.F.R. 164.408(c) which require annual noti?cation to the Secretary of HHS of breaches affecting less than 500 individuals. The reporting form can be accessed here: ovfocr! rivac r'hi Under the Freedom of Information Act, it may be necessary for OCR to release this document and related correspondence and records upon request. In the event OCR receives such a request, we will seek to protect, to the extent provided by law, personal information, which if released, would constitute an unwarranted mvasion of privaCy. If you have any questions, please contact please contact Ralph Balsamo Investigator, at (215) 861?4444 (Voice), or (215) 861?4440 Sincerely, I Marlene L. Rey Acting Regional Manager