r? - i EPARTMENT HEALTHEL MAN ERVICE OFFICE OF THE SECRETARY q, webmaster-rears. (300)363-1019 oer '1 Rj ?We TDD . {404} 562.1334. {son} smear 61 (404) 562-?831 Atlanta, GA 30303-3909 September 29, 2011 {bli?llblUliCl Ms. Andrea Wilson Privacy Implementation Coordinator VHA Infonnation Access Privacy O?ice (19F2) US. Department of Veterans Affairs 810 Vermont Avenue NW Washington, DC 20420 Re: li'i'iisli'min'icJ [35. Bay Pines VA Healthcare System OCR Reference Number: I 1-126630 Dear (blaming) and Ms. Wilson, On April 16, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint alleging that Bay Pines VA Healthcare System (hereinafter, ?Bay Pines?) is in violation of Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts, A, C, and E, the Privacy and Security Rules). Speci?cally, Iibli??liblmm Complainant, aileges that medical staff at Bay Pines impermissiny disclosed Complainant?s protected health information when on October 20, 2010, Complainant discovered that her medical records were released to an unauthorized, third party, UNUM Provident on July 17, 2009, based on an authorization that expired in 2005. Complainant further alleges that Bay Pines admitted in a letter dated November 9, 2010, that a workforce member violated her privacy rights; further, it is contended that Bay Pines provided written assurances that actions were taken to address and cure the breach in Complainant's PHI. This allegation could re?ect potential violations of 45 C.F.R, and 164.5306), respectively. Atlanta Federal Center, Suite 16T70 OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and, under certain circumstances, sex and religion. The Privacy Rule prohibits a covered entity from using or disclosing PHI, except as permitted by the Rule. See I64. 5 02(a). The Privacy Rule also mandates that a covered entity must have in place appropriate administrative, technical and physical safeguards to protect the privacy of protected health information. See 45 GER. 530(c)(1). Under the Rule, a covered entity must also have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity64.530(e) Further, the Privacy Rule mandates that a covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures or the requirements of HIPAA by the covered entity or its business associate. See 45 GER. 55 1'64. 5 3 009. OCR noti?ed Bay Pines VA Healthcare System of the complaint filed by Complainant. noti?cation to Bay Pines VA Healthcare System included a written request for the results of their review of the complaint?s allegations. OCR also requested a copy of Bay Pines VA Healthcare System?s policies and procedures with respect to the impermissible use and disclosure of PHI, the safeguarding of PHI and the policies governing the sanctioning of employees who do not comply with the covered entity?s policies and procedures and mitigation steps taken by the covered entity should an impermissible disclosure of PHI occur. the Privacy Specialist for VHA, responded initially to written request for information on behalf of the covered entity on August 10, 201 l. In the response, submitted copies of the requested policies, procedures, and practices that are the subject of the investigation, which are necessary for OCR to determine whether it is complying with the applicable provisions of the Privacy Rules. Bay Pines VA Healthcare Systems provided evidence that they. had internally reviewed and mitigated the allegations in this complaint. position is that the complaint?s allegations did have merit in that the Complainant?s medical records were in fact impermissiny disclosed to an authorized third party UNUM. Additionally, the release of this information was based on an authorization which was signed in 2005 and only valid for two years. position also states that if the incident occurred as alleged, then the actions of the Release of Information clerk were not in compliance with their internal policies and procedure which govern the impermissible use and disclosure of PHI as well as the safeguarding of PHI. As previously stated, 45 C.F.R. l64.502(a) states, in part, that a covered entity may not use or disclose PHI, except as permitted by the HIPAA Privacy Rule. Please further note that 45 C.F.R. 164.5 30(c)( 1) states, in part, that a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. Our analysis of the information gathered through our investigation discloses that the actions of Release of Information clerk were not in compliance with policies and procedures in place with govern the impermissible the use and disclosure of protected health information as well as the safeguarding of protected health information. Pursuant to investigation, VHA took the following corrective measures to demonstrate its willingness to voluntarily comply with the citied provisions of the Privacy Rule: The Privacy Staff at VHA determined that the Release of Information clerk did in fact imperrnissibly disclose the Complainant?s protected health information to UNUM, without the presence of a signed, valid authorization. As a result of these actions, the employee?s supervisor provided verbal counseling for the impermissible disclosure to UNUM. in addition, there was an offer made to 615 individuals to enroll in the Equifax Credit Watch Gold which contains the monitoring of all three credit bureaus at the expense of the VHA. This offer was made as a mitigation step offset the potential consequences of the said impermissible disclosure of the PHI belonging to the 61 5 individuals served out of this department. In addition to this offer, a letter of apology was sent by Chief Procurement and Logistics Of?cer for any issues this incident may have caused individuals and their Based on the foregoing, we have determined that the corrective action measures taken by the VHA are su?icient to effectively resolve the issues raised by Complainant, and furthermore demonstrate willingness to voluntarily comply with the applicable provision of the Privacy Rule. As part of our investigation, OCR also reviewed the covered entity?s intemai poiicies and procedures applicable to and 164.530(f) of the HIPAA Privacy Rule. Our review of the same discloses them to be compliant with the Privacy Rule. Therefore, OCR has determined that all matters raised by this complaint, at the time it was ?led, have now been resolved through voluntary compliance actions of VHA. We are accordingly closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case'upon request by the public. In the event OCR receives such a request, we vol] make every effort, as permitted by law, to protect the information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Anitra Moreland, Investigator, at (404) 562-7521 (Voice), or (404) 562-7884 (TDD). Sincerely, if, oosevelt Freeman Regional Manager