if  DEPARTMENT OF HEALTH HUMAN SERVICES Of?ce ofthe Secretarv
5% I
PM: Voice - (404} 562-7886, [800} 388-1019 . Of?ce for Civil Rights. Region 5V
TDD - (404) 562-?884, (300) ear-res? Atlanta Federal Center, Suite
Fax - {404} 5624881 
51 Forsth Street, SW.

 

Atlanta, GA 30303

July 30, 2012

 



 

 

 

Ms. Vickie Bowman

Veterans Health Administration
VHA Privacy Of?ce-

810 Vermont Ave, NW
Washington, DC. 20420

 

 

RE: v. Atlanta Veterans Administration Medical Center
eference No: 11-] 32391

 

 

Dear glam?) and Ms. Bowman:

 

 

 

On August 15, 2011, the Department of Health and Human Services (HHS), Of?ce for Civil Rights
(OCR) received a complaint from Iibll?liblmm I alleging non-compliance with the Federal
Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for
the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C,
and E, the ?Privacy and Security Rules?) and the Breach Noti?cation Rule Subpart - Noti?cation in
Case of Breach of Unsecured Protected Health Information (45 CPR. 
complained that his protected health information was disclosed to his coworkers during a
slide presentation used for training purpose among staff. He also stated that his complaint was not
handled adequately after he noti?ed the VA of his concerns. These allegations could constitute
violations of the Privacy Rule. See 45 C.F.R. and 

OCR enforces the Privacy, Breach Noti?cation and Security Rules, and also enforces Federal civil
rights laws that prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and, under certain circumstances, sex and religion.

The Privacy Rule states that a covered entity may not use or disclose protected health information
except as permitted or required by the Privacy Rule. See 45 CPR The Privacy Rule
also mandates that a covered entity must have in place appropriate administrative, technical, and
physical safeguards to protect the privacy of protected health information. See 45 CPR, 
A covered entity must provide a process for individuals to make complaints
concerning the covered entities compliance with the Privacy Rule. 45 C.F.R. 

 

On February 14, 2012, OCR noti?ed the Veterans Administration (hereinafter ?the of the privacy
complaint ?led by and requested certain documents and information related to the facts
alleged. On April 2, 2012, the VA provided a detailed response to the allegations, along with its
HIPAA training materials, provisions of its personnel manual, and its con?dentiality policies, and
various other policies related to this matter.

From our review of the relevant documents and allegations, it appears that during a hospital training
seminar, a staff member used Complainant?s health data as part of a training exercise such that it was
accessible for all staff present. Complainant brought the matter to the attention of the privacy officer,
but heard no clear response.

The VA largely confirmed Complainant?s account of these events. The individual that conducted the
presentation had initially been counseled. But after receiving notice of our investigation, a written
sanction was issued to the employee. Additionally, a memo admonishing staff not to use identifying
patient PHI for presentations was circulated to hoSpital staff. A checklist was also produced to
provide a way to assure compliance with the memorandum. The use of these documents in the future
is likely to prevent reoccurrence of the violation that occurred in this matter. Accordingly, the matters
raised by this complaint at the time it was ?led have now been resolved through the voluntary
compliance action of the Veterans Administration. Therefore OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that were
reviewed by OCR. OCR only reviewed the evidence of record pertinent to resolving the issues raised
by you in the aforementioned complaint.

Under the Freedom of Information Act, we may be required to release this letter and other information
about this case upon request by the public. In the event OCR receives such a request, we will make
every effort, as permitted by law, to protect information that identi?es individuals or that, if released,
could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Elliott Schwalb at (404) 562-2 790
(Voice), {404) 562-7884 (TDD).

Sincerely,

Roosevelt Freeman
Regional Manager