oi 4 DEPARTMENT OF HEALTH a: HUMAN SERVICES QEFICE OF THE Voice - (215) 861-4441 Office for Civil Rights, Region ll! Mm TDD - {215) 351-4440 150 5. Independence Mall West FAX (215) 861-4431 Public Ledger Building, Suite 372 hh?.ggvloor Philadelphia, PA 19106-3499 March 20, 2012 {blt?iibltl'iicl Ms. Andrea Wilson, RHIA, CIPP, US. Department of Veterans Affairs Veterans Health Administration Information Access and Privacy Of?ce (1 OPQCI) 810 Vermont Avenue NW Washingtom DC 20420 OCR Transaction Number: 11- 127542 b6_band MS. Wilson: Dear Please be advised that on May 17, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), received a complaint from (Compla.inant) alleging that the Veterans Health Administration (VHA), James E. Van Zandt Medical Center, is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information and/or the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, Complainant alleges that on May 4, 2011, Complainant ?s protected health information (PHI) was impermissiny disclosed on the Administrative Of?cer of the Day (AOD) log. These allegations could re?ect violations of 45 CPR. 164.502(a) (uses and disclosures) and 164.530(c) (safeguards). OCR enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and, under certain circumstances, sex and religion. 011 December 1, 201 1, OCR noti?ed the VHA of this complaint. Under the Privacy Rule, a covered entity may not use or disclose PHI, except as permitted or required by the Privacy Rule. See 45 CPR. Covered entities must also have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. See 45 CPR This standard requires that covered entities make reasonable efforts to prevent uses and disclosures of PHI that are not permitted by the Rule, such as those uses or disclosures that may be inadvertent actions of an individual employee. The Privacy Rule does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Rule requires only that covered entities implement reasonable safeguards to limit incidental usesor disclosures. See 45 CFR OCR Transaction Number: 1 1-127542 Page 2 of 2 On December 30, 201 l, the VHA submitted its written response to the complaint allegations. In its response, the VI-IA con?rmed that Complainant?s name, service connection status, and basic medical information were disclosed on the ADD log. The VHA eitplained that the AOD log is used to describe events during the tour to include: admissions, discharges, gains and losses, bed availability, and emergency room activity. Complainant?s information was included on the ACID log dated May 4-5, 2011 because he had been seen in the emergency room that day. The VHA indicated that because the ADD log is widely distributed within the facility, the internal policy is to list the information for all patients who are also employees as con?dential. Soon after the AOD was distributed, the VHA determined that Complainant?s medical information had not been listed as con?dential. In order to address the issues of this complaint, the VHA conducted an internal investigation, sanctioned the employee responsible for the disclosure, retrained all on the policy to list employee medical information as con?dential, and sent a noti?cation letter to the Complainant which apologized for the incident. Along with its response, the VHA included copies of its Privacy Policy, the ADD position description, and the apology letter sent to Complainant. Additionally, the VHA provided OCR with documentation of its internal investigation, the employee?s disciplinary action, and retraining for all AODs. The Privacy Rule explicitly permits covered entities to use or disclose PHI for treatment, payment, or health care operations. See 45 CPR. 164.502(a) (uses and disclosures), 164.506 (uses and disclosures to carry out treatment, payment, or health care operations), and 164.501 (de?nition of health care operations). In this instance, while the hating of Complainant?s PHI on the ACID log constituted a breach of VHA internal policy, it does not constitute an impermissible disclosure under the Privacy Rule because it would be considered a permissible disclosure for health care operations. We have reviewed the matters raised in the complaint. Based on our review of the facts and circumstances of these matters, as well as the actions taken by the VI-IA to address Complainant?s concerns, we have determined that no further action by OCR is required. We are closing this complaint. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Sarah Parker at (202) 260-2197. Thank you for bringing this matter to our attention. Sincerely, WW Marlene L. Rey Acting Regional Manager