st .

?a

 

 

 DEPARTMENT OF HEALTH HUIVIAN SERVICES OFFICE OF THE SECRETARY
Voice- {404} 552-7386. (sea; 355-1019 I Of?ce for Cil'il Rights, Region iv
TDD- (404) 552-7884. {soot ear-res? 51 rum-u. Street, 5. w.
- {4'34} 552-7331 Atlanta Federal Center, Suite 
Atlanta. GA 30303-3909
July 25, 201 


 

 

 

Ms. Andrea Wilson

Privacy Implementation Coordinator

Information Access Privacy Of?ce (19F2)
810 Vermont Ave NW

Washington, DC 20420

Re: (?Emma v. Favetteville VA Medical Center
Reference number: 1 1- 1 26402

Dear and Ms. Wilson:

On April 6, 2011, the US. Department of Health anzl Human Services (HHS), Of?ce for Civil
Rights (OCR) received a complaint alleging that Fa etteville VA Medical Center is not in
compliance with the Federal Standards for Privacy Individually Identi?able Health
Information andfor the Security Standards for the tection of Electronic Protected Health
Information (45 C.F.R. Parts 160 and 164, Subpartts A, C, and E, the Privacy and Security
Rules). Specifically, Complainant, tes that he had a colonoscopy on March 28,
2011 at the Fayetteville VA Medical Center He expecting to receive his test results within
two weeks, but instead, received a phone call from nother patient, 
told that he had erroneously rec ived his test results. These allegations could
re?ect violations of 45 C.F.R. 164.502(a) and 1 .530{c), respectively.

 

 
   
 

 

The Privacy Rule states that a covered entity may not use or disclose protected health
information except as permitted or required by the Privacy Rule. See 45 C.F.R 164.502 
The Privacy Rule also mandates that a covered entity must have in place appropriate
administrative, technical and physical safeguards to protect the privacy of protected health
information. See 45 C.F.R. 

On June 8, 2011, OCR noti?ed Andrea Wilson, Privacy Implementation Coordinator, of the
complaint against the ayetteville VA Medical Center (hereinafter, Speci?cally, we
sent the facility a written request for evidence asking that they provide us with a statement

 

 


detailing the results of their internal investigationiiam?3le allegations. We also
requested a copy of policies and procedu?s relating to safeguards. Finally, we
requested documentation showing that relevant staff retrained or sanctioned on the
aforementioned provisions of the Privacy Rule if ittilvas ultimately determined that a violation
occurred.

Ms. Wilson responded to written request for information on behalf of VAMC on June 23,
2011. In her response, she submitted copies of the requested policies and procedures and gave
OCR written assurances that the facility looked into the allegations after receiving 
noti?cation. Speci?cally, she told OCR that wife initially contacted the facility
when the incident ?rst occurred. Once the VAMC  ceived her complaint, an investigation was
immediately opened and the privacy of?cer intervie ed the mailroom supervisor regarding the
allegations. Through their discussions, it was ultim ter determined that the mail sorting
machine in the mailroom at the VAMC had malfu ioned, causing two letters to be mailed in
the same envelope. Although the mail sorting mac ne ordinarily separates each letter, the
malfunction caused receive another tient?s protected health information
including his name, address, and diagnoses from ai; lonoscopy procedure.

 

  
 
 
 
  
 
 
  
 
 
 
 
 
 
 

Although the mail sorter malfunctioned in this ins ce, Ms. Wilson told OCR that the facility
maintains a Mail Room Standard Operation Proce I that includes performing random checks
on the machines. Shortly after this incident occurrt and before complained to the

VAMC, the machine had been serviced and recali ted.

Having discovered the source of the error in this ins ce, both the VAMC Director and
Associate Director sent letters of apol y, explaining the outcome of their
investigation and the corrective action taken as a 1t. Copies of both letters, the last dated
June 20, 2011, were submitted to OCR as evidence the facility?s corrective action in response

to the incident presented in the complaint.

Based on the foregoing, all matters raised by this on plaint at the time it was ?led have now
been resolved through the voluntary compliance act cos of the VAMC. Therefore, OCR is
closing this case.

determination as stated in this letter applies; nly to the allegations in this complaint that
were reviewed by OCR.

Under the Freedom of lnfonnation Act, we may be required to release this letter and other
information about this case upon request by the pub ic. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect lnfonnation that identifies individuals
or that, if released, could constitute a clearly unwairlanted invasion of personal privacy.

 

l-



If you have an},r questions, please contact Akara Wiiten Smith, Investigator, at (404} 562-7139
(Voice), (404) 562-7884 (TDD). 

Sinoet??ly,

a?en Fre man

RegioiI a] Manager