J, Emulatht O1 DEPARTMENT OF HEALTH 3: HUMAN SERVICES OFFICE OF THE SECRETARY voice 421513514441, Too 4215135144411 from Office for Civil Rights, Region Ill 150 8. Independence Mall West Public Ledger Building, Suite 372 Philadelphia, PA 19106-3499 March 14, 2012 Andrea Wilson VHA Privacy Of?ce Manager VHA Privacy Of?ce (10P2C1) Health Information Governance 310 Vermont Ave, NW. Washington, DC 20420 OCR Transaction Number: 1 1- 128066 Dear Ms. Wilson, On March 28, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a Health Information Technology for Economic 85 Clinical Health (HITECH) Breach Report from the Department of Veterans Affairs (V A). This document reported the possible noncompliance with certain aspects of the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules) promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Speci?cally, the document indicated that an employee of the VAMC left a ?le with protected health information (PHI) unattended in a government-owned vehicle. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. Under the Breach Noti?cation Ruie, ?breach? means the acquisition, access, use, or disclosure of PHI which poses a significant risk of ?nancial, reputations], or other harm to the individual. See 45 C.F.R. 164.402. The Breach Noti?cation Rule requires covered entities that discover a breach of unsecured PHI to notify ?each individual whose. .information has been. . accessed, acquired, used, or disclosed as a result? of the breach within 60 days. See 45 CPR. 164.404. On June 22, 2011, OCR contacted the VA. The VA con?rmed that a VA employee utilized the government ?owned vehicle to provide scheduling training at the Wood County Outpatient Clinic. The employee was a Supervisory Medical Support Assistant who is responsible for the training of medical clerks. A packet of information fell out of her foider between the seats or under the seat of the vehicle. The packet was clipped together along with being stapled. The VAMC employee was unaware that that the packet was missing from her folder during the training session. Although the vehicle was utilized by 14 govemrnent employees ?om October 27, 2010 and November 16, 2010, it was then locked and parked at the VAMC parking lot waiting to have vehicle damage repair work done due to an accident on November 16, 2010. Subsequent to the repairs, the vehicle was used by two employees prior to the packet being OCR Transaction Number: I 1?128066 Page 2 of 2 discovered while it was being cleaned by a VAMC employee on either February 7' or February 8, 2011. The entire packet of PHI was found inside the vehicle and there was no evidence that the PHI had been impermissiny disclosed. OCR provided the VA with information on what constitutes a breach under the Breach Noti?cation Rule. The VA was receptive to the technical assistance and indicated that it understood; however, the VA explained that it had made the decision to notify the patients despite the fact that there was no indication that PHI had been accessed, used, or disclosed and provide the individuals with the offer for enrollment in credit monitoring. The employee involved received disciplinary action, as well as retraining in the safeguard policies with special emphasis on when it is appropriate to remove PHI ?-om the VA facility. Based upon the information provided, we have determined that no further OCR action is warranted, therefore, we are closing this matter. This determination applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Diana Vinceuzo at (215)861-4217. Thank you for bringing this matter to our attention. Sincerely, Marlene L. Rey Acting Regional Manager