OFFICE OF THE SECRETARY Of?ce for Civil Rights. Region 150 3. Independence Mall 1West Public Ledger Building, Suite 372 Philadelphia, PA 19106-3499 DEPARTMENT OF HEALTH 8.: HUMAN SERVICES Voice - [215) 861-4441 TDD - (215} 861-4440 September 28, 2011 {bll?libl?'llcl Leslie V. Schaffer, CHP, CHSS Director, TMA Privacy and Civil Liberties Of?ce Of?ce of Assistant Secretary of Defense Health Affairs Skyline Five, 5111 Leesburg Pike- Falls, Church, Virginia 22041-3206 Transaction Number 126032 Dear Dear Ms. Shatter: The Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint on April 7, 2011 alleging that Walter Reed Army Medical Center (covered entity) is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). The complainant, alleges that her husband's superiors inappropriately accessed her protected health information. This allegation could re?ect violation of uses and disclosures and minimum necessary staff. OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. We have reviewed the matter raised in the complaint. OCR obtained information from the complainant and the covered entity. The covered entity provided a letter addressing the complaint allegations. The covered entity also provided copies of its polices for all issues relevant to this complaint to assure OCR that it is compliant with the requirement of the Privacy Rule. Through our investigation we determined the following: i In March 201 l, the complainant noti?ed the complainant of the alleged violations that are the subject of this OCR investigation; 0 Upon receiving noti?cation of the alleged inappropriate accesses, the'covered- entity initiated an internal investigation; The investigation revealed that military personnel had inappropriately accessed the complainant?s protected health information 0 Personnel actions were taken against those identi?ed as having inappropriately accessed the compiainant?s PHI The identi?ed personnel completed HIPAA re?'esher training on August 24, 2011; The complainant was issued a letter of apology on August 29, 201 1. Based on our review of the facts and circumstances of this matter we have determined that the covered entity implemented the required voiuntary compliance actions upon learning of the alleged privacy rule violation. Therefore, OCR is closing this complaint. - determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you should have any questions, please do not hesitate to contact Ms. Elizabeth Benson, Investigator at (ZIS) 361-4427 or (215) 361-4440 3% Marlene L. Rey Acting Regional Manager