?shnet-5%.
1
we

 

C. DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY

mm:
0" Jr,

Voice - {212) 26443313. (800) 368-1019 Of?ce for Civil Rights, Region 1]

?km TDD - (212} 264-2355 Jacob Javits Federal Building
(FAX) - (212} 264-3039 26 Federal Plaza, Suite 3312
New York, NY 10273

MAY 3 0 2m

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

VHA Privacy Implementation Coordinator
Information Access and Privacy Office -10P2C1
Department of Veterans Affairs

Veterans Health Administration

810 Vermont Ave., NW.

Washington, DC 20420

Our Reference Number: 11-128096

Dear Ms. Wilson:

On May 27, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights
(OCR) received the Department of Veterans Affairs, Veterans Health Administration's (VHA) breach
report filed on website alleging a violation of the Federal Standards for Privacy of Individually
Identi?able Health Information andlor the Security Standards for the Protection of Electronic
Protected Health Information (45 CPR Parts 160 and 164, Subparts A, C, and E, the Privacy and
Security Rules) promulgated pursuant to the Health Insurance Portability and Accountability Act of
1996 (HIPAA). Speci?cally, the breach report indicates that on March 31, 2011, the VHA discovered
that a nurse left documents containing protected health information (PHI) for 6,006 individuals at a
nursing station while in the midst of relocating to a different ward. This allegation could reflect
violations of the Privacy Rule at 45 C.F.R. and respectively.

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws that prohibit
discrimination in the delivery of health and human services because of race, color, national origin,
disability. age, and, under certain circumstances, sex and religion. 

On December 16, 2011, OCR notified VHA of our receipt of the breach report filed on website
and that OCR required that certain data be submitted concerning the breach.

OCR subsequently received responses on December 21, 2011 and January 24, 2012,
respectively. VHA provided OCR with Privacy Rule and Breach Notification Rule related materials
including a copy of the notification letters sent to the 6,006 individuals affected by the breach, a copy
of the press release to the media, and a copy of procedures with respect to safeguarding PHI.

OCR learned that on March 31, 2011, a Nurse Manager, who was relocating to her new duty station,
requested administrative personnel to contact the recycling service to pick up plastic garbage bags
containing documents intended for shredding. OCR further learned that after receiving notification
that the recycling service was on the way to pick up the items, the items were left in front of a nurse?s
station with the double doors to the ward left ajar. OCR also teamed that the recycling crew did not
pick up the items and that the bags containing PHI were left unsecured from March 31, 2011 until the
morning of April 4, 2011 when another employee discovered the bags. The bags consisted primarily
of documents containing names, social security numbers, patient care assignments, patient counts.

 

 

 

Page 2 - Ms, Andrea Wilson

and patient census lists. In addition, OCR learned that the bags also included documents containing
employee information such as staff pro?ciencies, counseling letters, and training rosters.

During the course of OCR's investigation, VHA provided written assurance of various corrective
actions to prevent a recurrence of the breach. VHA informed OCR that the incident was immediately
investigated by the Privacy Of?cer and the Information Security Of?cer, disciplinary actions were
taken against two Nursing Service employees, the incident was reported to the VA Network and
Security Operations Center, and additional safeguards were implemented which required re-
educating all staff on the privacy and information security regulations. The VHA also informed OCR
that nursing leadership is now required to conduct rounds on wards immediately after they are
vacated and VHA took actions to review and enforce the facility?s records management policies.

OCR notes that VHA offered 1,690 individuals of the 6,006 individuals affected by the breach credit
monitoring identity theft protection for one year at no cost because their names and social security
numbers were found on the documents in the unsecured garbage bags. The VHA mailed out
noti?cation letters to the remaining 4,316 individuals (or next-of-kin for deceased individuals)
informing them of the breach and received seven letters returned due to insuf?cient addresses.
Furthermore, VHA provided OCR with documentation of a news release that was sent to media
outiets in several markets informing the public about the breach and a toll free number for questions
concerning the incident.

OCR determined that the matter raised by the breach report at the time it was ?led has now been
resolved through the voluntary compliance actions of VHA. Therefore, OCR is closing this breach
report investigation.

determination as stated in this letter applies only to the allegation in this breach report that
was reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other information
about this case upon request by the public. In the event OCR receives such a request, we will make
every effort, as permitted by law, to protect information that identi?es individuals or that, if released,
could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions. please contact Shawnee Swinton, Investigator, at (212) 264-1225.

Sincerely,



3?

   

45:?
 Li a. C.Colon
egional Manager

Office for Civil Rights
Region II