2?
kg
US. DEPARTMENT OF HEALTH HUMAN SERVICES
Of?ce of the Regional Manager
Office for Civil Rights

9991801 Street, Suite 41?
Denver, Colorado 80202
Telephone: (303) 844-2024
FAX: (303) 344-2025
TDD: {303) 844-3439

 

May 31, 2012

 



 

 

 

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

Privacy Of?ce Manager
VHA Privacy Of?ce (1 0PZCI)
Health Information Governance
Department of Veterans Affairs
810 Vermont Avenue, NW
Washington, DC 20420

?(El v. Veterans Health Care stem Salt Lake Ci

Re:

OCR Transaction Number: 11425429
Dear {menme

Ms. Wilson:

Utah

On March 24, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region received the above-referenced complaint. The subject complaint
alleged that the Veterans Health Care System in Salt Lake City, Utah (VHA), was not in
compliance with the Federal Standards for Privacy of Individually ldenti?abie Health
Information andfor the Security Standards for the Protection of Eiectronic Protected Health

Information (45 Code of Federal Re
. the Privacy and Security Rules).

mlg?gps 



 

3115 160 and 164, Subparts A, C, and E,

 

Complainant, alleged that the VHA

 

impermissiny used and failed to adequately safeguard her protected health information (PHI).
She further alleged that the VHA did not appropriately limit employee access to her PHI and that
it did not mitigate employees? use of her PHI. Speci?cally, Complainant alleged that, in 2005,
several VHA employees imperrnissibly accessed her PHI. Since 2005, she alleged that she has
periodically asked the VHA privacy of?cer to run audit logs regarding access to her PHI, and in
February 2011, an audit log revealed that one of the VHA employeesFMS)mimic?J

who had previously impermissiny accessed her records in 2005 again accessed them in October

 

Page 2

2009.1 Complainant also alleged that, despite prior impermissible uses of her PHI, the VHA is
not appropriately monitoring the access logs for further inappropriate use of her PHI.2 OCR
investigated Complainant?s allegations as potential violations of 45 CFR 164.502(a)
(impermissible use), 164.514(d) (minimum necessary role-based access), 164.530(c)
(safeguards), and 164.530{t) (mitigation).

OCR enforces the Privacy and Security Rules. OCR also enforces Federal civil rights iaws,
which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

On September 2, 2011, OCR noti?ed the VI-IA of the subject complaint and on October 3, 2011,
OCR received the written res nse aclmowledging that Complainant?s PHI was
impermissibly accessed by 'I'he' VHA expiained that it conducted an audit in
February 2011, and found that then an employee at the VI-IA, impermissiny
accessed Complaint?s records on January 21, 2005 and on October 22, 2009.

The Privacy Rule requires covered entities, such as the VHA, not to use PHI without an
authorization, except as permitted by the Rule? A covered entity must also limit employee
access to PHI to the minimum amount of information necessary to accomplish the employees?
job duties by identifying the classes of persons in its workforce who need access to PHI to carry
out their duties and indentifying the categories of PHI that each class of persons may have access
to.4 Additionally, a covered entity must implement appropriate administrative, technical, and
physical safeguards to protect the privacy of sanction employees who do not comply with
the mqgirements of the Privacy Rule? and mitigate any harmful effects of an impermissible use
of PHI.

 

I The Privacy Rule requires complaints to be ?led within 180 days of when complainants knew
or should have known of the alleged act or omission. As such, OCR limited the scope of its
investigation to the irnpermissible use that the VHA acknowledged occurred in October 2009.

3 OCR declined investigation of responsibility to monitor the access logs under the
Security Rule.

3 45 can. 
4 45 can. 
5 45 can. 
5 45 can. 

3? 45 can. 164.5306).

 

Page 3

 

. . . .
The VHA acknowledged that accessed PHI wrthout authorization and wrthout a

permissible purpose under th Privacy Rul  access to Complainant?s PHI was
not related to his job duties. was employed as a social worker, and as such, had
access to patients? entire medical records; however, in this case, he had no job-related reason for
accessing Complainant?s PHI. In order to address the impermissible access, prior to 
involvement in the subject complaint, on May 3 201 1 the VHA issued a written reprimand to
Additionally, on May 5, 2011, signed an Alternative Discipline
Agreement, which placed his reprimand in abeyance for twelve (12) months from the date of its
execution.8 Moreover, on September 19, 2011, the Privacy Of?cer submitted a privacy
breach ticket into its Privacy/Security Event Tracking System for review by the VA Incident
Response Team and the VHA satisfied the Privacy Rule?s mitigation requirement by providing
Complainant with credit monitoring service. Finally, OCR reviewed the policies
pertaining to uses and disclosures of minimum necessary/employee role-based access to
and safeguards, and ?nds them to be consistent with the requirements of the Privacy Rule.

 

 

 

 

 

 

 

All issues related to Complainant?s allegations regarding the impermissible use of her PHI, role-
based employee access to her PHI beyond the minimum necessary, and lack of safeguards have
been addressed by the voluntary compliance efforts. Additionally, OCR concludes that
the actions regarding mitigation and sanctions did not violate the Privacy Rule.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding the subject matter, please contact me at the number listed
above, or Ms. Emily Prehm, .D., Equal Opportunity Specialist, at 303-844-7893. Thank you.

Sincerely,

Mull

Velveta Howell
Regional Manager

 

 

3 On June 30, voluntarily retired from the VHA.