wmm:.%

?05!!qu

 

DEPARTMENT OF HEALTH HUMAN SERVICES Of?once - (404} 562-7886, (800) 363-1019 Of?ce for Civil Rights, Region IV
TDD - (404) 562-7884, (300] Atlanta Federal Center, Suite
Fax (404) 562-?381 13170
B1 Forsth Street, SW.

Atlanta, GA 30303

February 23, 2012

(manicure)

 

 

 

 

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG
Attn: Constance Walters, VHA Privacy Of?cer
of Veterans Affairs

Veterans Health Administration

Information Access and Privacy Of?ce (19F2)
810 Vermont Ave, NW

Washington, DC 20420

 

Re: lvs. Temssee Valley Health Care System
OCR Reference Number: 04-1 1-129521

 

Dear {mwmmicl and Ms. Walters:

 

 

 

On July 13, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR) received a complaint ?led by I(Complainant) alleging that
the Veterans Health Administration (VHA) under the Department of Veterans Affairs (VA), the
covered entity (CE), violated the Federal Standards for Privacy of Individually Identi?able
Health Information andfor the Security Standards for the Protection of Electronic Protected
Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security
Rules), and the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of
Unsecured Protected Health Information (45 CPR. 

Speci?cally, the complaint alleges that violations of the Privacy Rule occurred on June 10, 2011,
when the CE impermissiny disclosed Complainant?s and that of other patients, by failing to
apply reasonable safeguards. In particular, Complainant alleges that she and a group of six (6) to
seven (7) patients were taken to the post anesthesia care unit when the staff and
physicians loudly requested their PHI and asked the patients to identify the procedure that was to
be performed. Complainant also alleges that two (2) male patients were hard of hearing, and the
physician loudly discussed their surgical procedures. Complainant further reports that she wrote
to the CE regarding the subject concerns, but there has been no response to her complaint. These
allegations could re?ect potential violations of 45 C.F.R. 164. 502(a) [uses and disclosures of
164.53 0(a) [safeguards], and [complaints to the covered entity],
respectively.

 

OCR enforces the Breach, Privacy, and Security Rules, and also enforces Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

The Privacy Rule (PR) states that a CE may not use or disclose PHI, except as permitted or
required by the Rule. (See 45 C.F.R. must also have in place appropriate
administrative, technical, and physical safeguards to protect the privacy of PHI. (See 45 C.F.R.
?164.530(c) This standard requires that CEs make reasonable efforts to prevent uses and
disclosures of PHI that are not permitted by the Rule. The Rule also requires that CBS
implement reasonable safeguards to limit incidental uses or disclosures of PHI. (See 45 CFR
164.530(c) In addition, the Privacy Rule states that a CB must have a process in place for
individuals to make complaints concerning the covered entity?s policies and procedures required
by the Rule, or its compliance with such policies and procedures. (See 45 C.F.R. ?164.530(d)



In correspondence transmitted via facsimile on August 17, 2011, OCR noti?ed VHA of the
complaint ?led against the CE. In addition, OCR reported the allegations in the complaint and
requested that the CE provide a written statement addressing its internal investigation. OCR also
requested documentation to support the investigation, additional identi?ed data related to
the investigation, and a copy of policies and procedures related to the aforementioned
regulatory citations. VHA responded to request in correspondence dated September 14,
2011, submitted by Ms. Andrea Wilson, Privacy Implementation Coordinator, and provided its
investigative ?ndings. ?ndings determined that a privacy breach did not occur.

After obtaining initial response to the noti?cation letter, OCR determined that the 
response did not include necessary documentation needed to make a determination as to whether
the CE was in compliance with applicable provisions of the Privacy Rule. OCR determined that
a privacy breach liker occurred, and requested that the CE take the following actions: advise of
actions that will be taken to preclude a re-occurrence of the subject incident, including use of
auditory safeguards, etc.; submit documentation of auditory safeguards that were distributed to
the PACU staff for training purposes; provide a letter of apology (LOA) to Complainant; submit
a copy of the policy and procedures; and address inclusion
of a non-retaliation clause in its Notice of Privacy Practices (NPP). All additional
documentation was necessary in order to ascertain the compliance with the Privacy Rule.
As a result, Ms. Ingrid Dove, the assigned Investigator, subsequently provided technical
assistance to the CE. Thereafter, OCR received additional requested information on
October 26, and December 14, 201], January 13, February 7 and 28, 2012.

examination of this matter reveals that as a result of TA provided to the CE, and in an
effort to preclude further incidents of this nature and ensure compliance with the Privacy Rule,
the CE took the following corrective actions: conducted a group discussion with PACU staff;
provided remedial training regarding use of auditory safeguards to PACU staff, and submitted a
copy of the training package and PACU participants; a HIPAA auditory powerpoint presentation
and ?yer were distributed to all employeefstaff users and posted on its website; agreed to explore
alternatives to obtain needed which would ensure that reasonable safeguards are
implemented; reported that the Joint Commission Readiness team recommended using the

patient?s full namefdate of birth (DOB) (in lieu of the SSN) that was previously used as a patient
identi?er. As such, the patient is asked to provide hisf'her Via a hand-held calculator or is
offered the opportunity to write-their namei?DOB on paper, and PACU staff immediately discards
the information in a shredder once it is veri?ed. The PACU Nurse Manager reports that most
patients opt for the paper option. Although the practice is currently being implemented, the
policy is being re-written to re?ect the change; submitted a letter of apology (LOA) to
Complainant which addressed corrective actions taken and apologized for the manner in which
Complainant?s complaint was handled; and VHA acknowledged that its NPP does not include a
retaliation clause and committed to revision of the subject policy in 2012.

Based on the foregoing, all matters raised by this complaint at the time it was ?led have now
been resolved through the voluntary compliance actions of the Veterans Health Administration
(VHA) under the Department of Veterans Affairs (V A). Therefore, OCR is closing this case.
determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Ms. Ingrid Dove, Investigator, at (404) 562-7877
(Voice), (404) 562-7384, or (300) 537-7697 (TDD).

Sincerely,

sevelt Freeman
Regional Manager