DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY Voice - (206) 615-2290, (300) 368-1019 Office for Civil Rights, Region mm TDD - (206) 615-2296. (800) 220I Sixth Avenue, Mail Stop RX-ll (FAX) - {206) 615-2297 Seattle. WA 93121-1831 Date: JAN 10 2012 {bil?lxlbilfl'lci Andrea Wilson VHA Privacy Of?cer (10P2C 1) US. Department of Veterans Affairs Veterans Health Administration 810 Vermont Avenue, NW Washington, D.C. 20420 OCR Transaction No.: 11-126783 (WWle and Ms. Wilson: Dear i The US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), received a complaint alleging that the Veterans Affairs Southern Oregon Rehabilitation Center Clinics (VASORCC) is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information 45 C.F.R. Parts I60 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?callylibli?lmimic] (Complainant) alleged that after he ordered an audit of his medical record on December 7, 2010, he discovered that on June 26, 2009 and July 7, 2009, ?5103940) (Supervisor), accessed his out-patient medical ?le for employment purposes, without authorization. These allegations re?ected possible violations of 45 C.F.R. 164.530(c) (safeguarding), and 164.502(a) (impermissible use). - OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. OCR noti?ed VASORCC of the investigation by mail and fax. Under the Privacy Rule, a covered entity may not use or disclose protected health information (PHI), except as permitted or required by the Privacy Rule. See 45 CPR. A covered entity must also have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. See 45 CPR. According to VASORCC, they ?rst became aware of the situation upon noti?cation from Complainant who had requested a Sensitive Patient Access Report (Audit) and then requested an internal investigation. The internal investigation determined that Supervisor had accessed Complainant?s medical record for employment purposes. Supervisor stated that she had accessed Complainant?s record in order to retrieve his demographic information. In response to thisincident, VASORCC sanctioned Supervisor and provided noti?cation and an apology to Complainant. VASORCC also reiterated its policies with the entire facility via email. Transaction No. 1-126783 Page 2 During the course of this investigation, OCR reviewed safeguarding policies for employee PHI including the VASORCC Privacy Policy and the Department of Veterans Affairs National Rules of Behavior. VASORCC appears to have appropriate safeguards in place, including annual training and audit controls. In this matter, VASORCC provided OCR with audit results of Complainant?s record and of Supervisor?s system accesses. OCR also reviewed documentation of the sanctions process regarding Supervisor, including documentation of counseling and retraining. Based upon response, we have determined that no further OCR action is required. Therefore, OCR is closing this case. determination as stated in this letter applies only to the issues in the complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please do not hesitate to contact Emily Cameron, Investigator, at 206-615- 3873 (Voice) or 206-615?2296 (TDD). When contacting this of?ce, please remember to include the transaction number that we have given this ?le. That number is located in the upper left-hand corner of this letter. Sincerely, ,s Linda Yuu Connor Regional Manager