y; 

 

DEPARTMENT OF HEALTH HUMAN OFFICE OF THE SECRETARY

is veiee - (206) 615-2290, (300} 362-17111 Of?ce for Civil Rights, Region 

Steam roo - {206} (SIS-2296. [300) sat-test 22m Sixth Avenue, Mail Stop RX-ll
(FAX) - (206} 615-2297 Seattle, wa 98l21-1331



Date: FEB 07 2?12

 

Andrea Wilson

VHA Privacy Of?cer (IOPZCI)
US. Department of Veterans Affairs
Veterans Health Administration

810 Vermont Avenue, NW
Washington, DC. 20420

OCR Transaction Number: 11-125359

Dear Ms. Wilson:

The US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a
Health Information Technology for Economic Clinical Health (HITECH) Breach Report from Veterans
Affairs Puget Sound Health Care System (VAPS). This document reported possible noncompliance of
VAPS with certain aspects of the Federal Standards for Privacy of Individually Identi?able Health
Information andfor the Security Standards for the Protection of Electronic Protected Health Information
(45 C.-F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules) promulgated
pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Speci?cally, the
document indicated that a VAPS patient?s (Patient) medical record was accessed by his ex-wife a VAPS

 

 

emnlovee (Employee), over 260 times. The report also indicated that the cit-wife's provider, {bli?liblmm

$2??be ARN (Provider), accessed Patient?s medical record, added documentation to Patient?s

 

 

 

 

record, and disclosed the patient?s protected health information (PI-II) while testifying on the Employee?s
behalf. These allegations re?ected possible violations of 45 CPR. (impermissible uses
and disclosures of PHI), 164.530(c) (safeguards), and 164.404(a) (breach noti?cation).

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit
discrimination in the delivery of health and human services because of race, color, national origin,
disability, age, and under certain circumstances, sex and religion.

OCR noti?ed VAPS of the investigation by mail and fax. Under the Privacy Rule, a covered entity may
not use or disclose protected health information (PHI), except as permitted or required by the Privacy
Rule. See 45 C.F.R. A covered entity must also have in place appropriate administrative,
technical, and physical safeguards to protect the privacy of See 45 CPR. 

According to VAPS, they ?rst became aware of the situation upon noti?cation from Patient who had
reported the allegations through his Social Worker. After receiving that report, VAPS conducted an
internal investigation that con?rmed Patient?s allegations. During the course of this investigation, OCR
reviewed safeguarding policies for employee PHI including the VAPS Privacy Policy and the
Department of Veterans Affairs National Rules of Behavior. VAPS appears to have appropriate
safeguards in place, including atmual training and audit controls.

 

 

Transaction Number: 1 1- 125359 Page 2

To resolve the issues raised in the Breach Report, VAPS provided OCR with documentation that Provider
is no longer employed by VAPS and that Patient?s record has been amended to remove the additions
made by Provider. VAPS also provided documentation of the audit reports of Employee?s accesses to
Patient?s records, and documentation that Employee no longer has access to the Computerized Patient
Record System or to the VAPS email system. Additionally, VAPS provided documentation of proposed
Employee sanctions which have not yet bew ?nalized due to Employee?s ongoing incapacitation and
extended leave of absence since October 2010.

Under the Breach Noti?cation Rule, after the discovery of a breach, a covered entity must notify affected
individuals. See 45 CPR. 164.404. Here, VAPS provided OCR with documentation that Patient had
been provided noti?cation and had been offered free credit protection services.

Based upon response, we have determined that no further OCR action is required. Therefore,
OCR is closing this case. determination as stated in this letter applies only to the issues in the
Breach Report that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other information
about this case upon request by the public. In the event OCR receives such a request, we will make every
effort, as pennitted by law, to protect information that identi?es individuals or that, if released, could
constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Emily Cameron, Investigator, at 206-615-3873 (Voice) or 206- .
615-2296 (TDD). 
Sincerely,

Wayw?

Linda Yuu Connor
Regional Manager