vs. DEPARTMENT or HEALTH HUMAN SERVICES Of?ce of the Regional Manager Of?ce for Civil Rights 999 or11 Street, South Terrace, Suite 417 Denver, Colorado 80202-2401 Telephone: (303} 844-7915 FAX: (303) 844-2025 TDD: (303) 844-3439 July 2, 2013 {blt?libltillcl Andrea Wilson, RHIA, CIPP, CIPPIG VHA Privacy Implementation Coordinator Information Access and Privacy Of?ce- 10P2CI Department of Veterans Health Administration 810 Vermont Ave, NW Washington DC 20420 Re: . De arnnent of Veterans Affairs OCR Transaction Number: 11-126816 Dear Ms. Wilson: On April 26, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), Region received the above-referenced complaint from (Complainant). The subject complaint alleged that the Department of Veterans Attairs (VA) was not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 Code of Federal Regulations (C.F.R.) Parts 160 and 164, ?3qu A, C, and E, the Privacy and Security Rules).1 Speci?cally, Complainant alleged that the VA impermissiny used and failed to safeguard his protected health information (PHI) when Complainant?s co-worker at the VA, accessed his medical record and shared his PHI with other co-workers, OCR investigated Complainant?s allegations under 45 CPR. 164.502(a) (impermissible usefdisclosures), l64.514(d) (minimum necessary; role-based access), and 164.530(c) OCR enforces the Privacy, Security, and Breach Noti?cation Rules. OCR also enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and, under certain circumstances, sex and religion. Page 2 (safeguards). In general, the Privacy Rule prohibits covered entities from using or disclosing PHI without authorization, except as otherwise permitted for treatment, payment, or healthcare operations reasons.2 The minimum necessary provision of the Privacy Rule also requires covered entities to limit access to PHI by identifying the persons or classes of persons within the covered entities? facility who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access.3 In addition, the Rule requires covered entities to have in place appropriate administrative, technical, and physical safeguards to protect against uses andfor disclosures of PHI that are not permitted by the Privacy Rule and to limit incidental uses andfor disclosures of OCR interviewed Complainant on June 22, 201], and examined documentary evidence he submitted. On July 25, 2011, OCR noti?ed the VA of Complainant?s allegations. The VA provided its initial position statement on November 16, and also provided additional supporting documentation. In its response, the VA conceded that it impermissibl used and failed to safeguard Complainant?s PHI when Complainant?s ?co-worker, impermissiny accessed its The VA took corrective action to resolve the subject matter by counseling and {blimme and providing Complainant with a letter outlining steps he should take to monitor his credit. Therefore, OCR concludes that all matters pertaining to the subject complaint have hoen resolved and is closing the complaint effective the date of this letter. determination as stated in this letter applies only to the allegations in the complaint that OCR reviewed. Under the Freedom of Information Act, we may be required to release this letter and other information about the subject case upon request by the public. In the event that OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals, or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding disposition of the subject transaction, please contact 2 45 3 45 can. 164514011) 4 45 can. 164.530(c) 5 In his initial complaint Comlainant alleged that he thought discussed his with their co-workers. denied that she did so. During an interview with OCR, Complainant clari?ed that he had no evidence that discussed his PHI, but was fear?rl that she would. 6 The VA submitted its reievant privacy policies and procedures for review during the investigation, which OCR determined were consistent with Privacy Rule requirements regarding the subject complaint. Page 3 me at (303) 844-7915, or Ms. Kelly Lewis, J.D., Equal Opportunity Specialist, at (303) 844- 7833. Thank you. Sincerely. WU Velveta Howell Regional Manager