arm?s . . DEPARTMENT OF- HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY "l5 Voice - (206) 6 5-229D, (300) 3624710 Of?ce for Civil Rights, Region E?i'mu TDD - (206) 615-2296, (300) 537-?697 220] Sixth Avert Ire, Mail Stop (FAX) - {206) 615-229? Seattle, WA 98121-1331 ovfocrf Date: It 23 20" Stephania Grif?n VHA Privacy Officer Of?ce of Health Information 810 Vermont Avenue, NW Washington, DC 20420 RE: Transaction No. 11426541 Dear Ms. Grif?n: The US. Department of Heal and Human Services (HHS), Of?ce for Civil, Rights (OCR) received a complaint from {blislibmicl ?Complainant?) on behalf of employee libligl alleging that the VA Medical Center (VA) in Vancouver, Washington was in violation of the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privar Security Rules). Speci?cally, Complainant alleged that employee accessed coworker protected health information on January 10, 2011 and January 18, 2011 without a need to know. These allegations re?ected possible violations of 45 C.F.R. 164.502 (impermissible use) and 164.53 0(c) (safeguards). OCR provided notice to the VA regarding this complaint by letter dated July 6, 201 l. W5). OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. Under the Privacy Rule, a covered entity may not use or disclose PHI, except as permitted or required by the Privacy Rule. See 45 CPR. Covered entities must also have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. See 45 CPR. This standard requires that covered entities make reasonable efforts to prevent uses and disclosures of that are not permitted by the Rule. See 45 C.F.R. 164.5 During this investigation, OCR learned that v. d?lwork at a call center at the VA that schedules appointments and handles forwarding medication re?ll requests. Due to the nature of the work, employees have access to medical records. Additionally, a large percentage of the call center staff are also patients of the VA. tarted work at the call center in early January 2011. At that time, was a team lead at the call center and and worked side by side whileas being trained. 11 April, requested an audit trail of access to her medical record and discovered thatad accessed her VA medical record on January it], 2011 and January 18, 2011. When the VA asked bout the January 10, 20] 1 access, stated that the access into record was done speci?cally at - er uest regarding a prescription re?ll as employees are not - owe to access their own medical record. (W51 Idenied that she requested to view her medical record. The Transaction No. 11-12654] . . Page 2 of2 audit trail shows thatviewed the record but there is no indice tion t} at changes or any other action was taken. Since tt ere was no evidence to suggest that cessed record on this day for a business related reason, Iwas counseled on this issue and the counseling was documented. The call center is also determining ways to document consent between peers who need to access medical records. I As for the access on Jan 18 2011,did not recall accessing record that The audit trail shows that lwent into record to correct Imarital status in the system. [aimed that changing marital status is not a function of the ca 1 center and that only human resources is allowed to make such a change. However, OCR interviewed the call center?s manager who con?rmed that call center employees are expected to make updates to patient records, including corrections or changes in marital status. Since the access on January 18, 2011 was for a business related reason, no further action by the VA is necessary on that issue. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of the VA. Therefore, OCR is closing this matter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR and does not apply to any other issues regarding compliance with the Privacy and Security Rules. Under the Freedom of Information Act, it may be necessary for OCR to release this document and related correspondence and records upon request. In the event OCR receives such a request, we will seek to protect, to the extent provided by law, personal information which, if released, would constitute an . unwarranted invasion of privacy. If you have any questions, please contact SiarahlBrovim of my staff at (206) 615-2293. Sincerely, Regional Manager cc: Complainant slant?! DEPARTMENT OF HEALTH HUMAN SERVICES 1v?oiee - {206} 615-2290, (300} 362-1710 TDD - (206) 615-2296, [300) 53?-?697 (FAX) - (206) 615-229? DEC 2-3 2011 Date: {bil?ltbimtcl Transaction number: 1-126541 Dear (C) OFFICE OF THE SECRETARY Of?ce for Civil Rights, Region 220] Sixth Avenue, Mail Stop Seattle, WA 98121-1831 The US. Department of Health and Human Services, Of?ce for Civil Rights has concluded its of the Priv Ion behalf submitted by your Enclosed is the closure letter which was sent to the Veterans Health Administration. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly privacy. unwarranted invasion of personal If you have questions regarding this matter, please feel free to contact Sarah Brown of my staff at 206-615-2293. Thank you for bringing this matter to our attention. Sincerely yours, Wake Linda Yuu Connor Regional Manager Enclosure