DEPARTMENT OF HUMAN SERVICES 03303 0" the Secretary Voice - {404) 562-7886, {son} sea-1019 TDD - (404) 562-7834, (sec) 5374697 Fax - {404) 562-?831 16T70 ti .hhs. ovi 61 Foreyth Street,S.W. Atlanta, GA 30303 February 27, 2012, {blt?liblti?llcl Ms. Andrea Wilson, Privacy Implementation Coordinator Attn: Shonta Wright, VHA Privacy Specialist VHA Information Access Privacy Office (19F2) US. Department of Veterans Affairs 810 Vermont Avenue NW Washington, DC 20420 Re: {blimibliim 5. Department of Veteran Affairs OCR Reference Number: 1 1-129644 Dear Elm?) Ms. Wilson and Ms. Wright: On July 15, 2011, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint from alleging that the Veterans Health Administration ?iereinafter is in violation of the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of Unsecured Protected Health Information (45 CPR. . 6.13 . . . Speci?cally, i Complainant, alleges that libxei?ibimw at VA Hospital in Atlanta, impennissibly disclosed Complainant?s protected health information while he was in deposition without any prior authorizations. The deposition took place on March 8, 2011. does not have a treatment relationship with the Complainant. These allegations could re?ect violations of and 164.5306), respectively. OCR enforces the Breach, Privacy and Security Rules, and also enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and, under certain circumstances, sex and religion. Please note that 45 C.F.R. 164.502(a) states, in part, that a covered entity may not use or disclose PHI, except as permitted by the HIPAA Privacy Rule. Please further note that 45 C.F.R. Of?ce for Civil Rights, Region IV Atlanta Federal Center, Suite states, in part, that a covered entity must have in place appropriate administrative, technicai, and physical safeguards to protect the privacy of protected health information. 45 C.F.R. ?164.53 0(1) states, in part, that a covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures. On or around November 14, 2011, OCR noti?ed the VHA of the complaint ?led by Complainant. noti?cation to the VHA included a written request for the results of their review of the complaint?s allegations. OCR also requested a copy of policies and procedures with respect to the impermissible use and disclosure of PHI, the safeguarding of PHI and the policies governing the mitigation steps taken by the covered entity should an impermissible disclosure of PHI occur. Shonta Wright, VI-IA Privacy Specialist, responded to written request for information on behalf of the covered entity. In the response, Ms. Wright submitted copies of the requested policies, procedures, and practices that are the subject of the investigation, which are necessary for OCR to determine whether it is complying with the applicable provisions of the Breach, Privacy and Security Rules. Ms. Wright provided evidence that they had internally reviewed and mitigated the alle ations in this complaint. position is that the allegations did have merit in that did, in fact, go into Complainants? medical record and share information regarding a medical procedure he received during a deposition. In fact, as reading from a copy of Complainant?s medical record during the deposition in order to answer some of the questions. Since there was no treatment relationshi - between Complainant and there have been 1?10 reason for to access the electronic medical record and subsequently read portions of the physical copy of the medical record. VHA internally investigated the matter and determined that in the course of employment as a physician, he misused his access to atient ?les in order to access the medical ?le belonging to who was not treated by Based on actions, their position is that the incident did occur as alleged, and therefore, it was not in compliance with their internal policies and procedures, which govern the impermissible use and disclosure of PHI as well as the safeguarding of the same. - analysis of the information thered through our investi tion discloses that the impermissible use and disclosure o?ibmibmw IPHI by a VI-IA physician who did not possess a treatment relationship with was not in compliance with the Covered Entity?s policies and procedures in place that govern the impermissible use of PHI, as well as, the safeguarding of PHI. Therefore, pursuant to investigation, VI-IA took the following corrective measures to demonstrate its willingness to voluntarily comply with the citied provisions of the Privacy Rule: Based on the internal investigation, was required to retake training based on intemal policies and procedures on the HIPAA Privacy and Security Rules. was also informed of VI-IA attorneys he could utilize, who would assist him in remaining compiiant with the HIPAA Privacy and Security Rules during the course of litigation instead of public sector attorneys. As a mitigation step taken by the VHA, was provided with a letter of apology for what occurred and additionally was offered one year of credit monitoring with the Equifax Credit Watch Gold program, which monitors all three credit bureaus, at no cost to Based on what occurred, {blt?itblti?ltcl will be issued additional sanctions based on his actions against IEEJEBWW I VI-IA is still determining the appropriate ievel in which to ?on VHA will provide their decision on how they choose to sanctio libli?iiblm to Investigator Moreiand by email when this decision has been ?nalized. Based on the foregoing, we have determined that thecorrective action measures taken by the VHA are suf?cient to effectively resolve the issues raised by Complainant, and ?irtherrnore demonstrate the willingness to voluntarily comply with the applicable provision of the Breach, Privacy and Security Rules. As part of its investigation, OCR also reviewed the covered entity?s internal policies and procedures applicable to and of the HIPAA Privacy Rule. Our review of the same deems them to be compliant with the Privacy Rule. Therefore, OCR has determined that all matters raised by this complaint, at the time it was ?led, have now been resolved through voluntary compliance actions of VHA. We are accordingly closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect the information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Anitra Moreland, Investigator, at (404) 562-7521 (Voice), or (404) 562-?834 (TDD). Sincerely, . Roosevelt Freeman Regional Manager