silly?? 35.0 HEALTH o1i 4 of? DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY Voice - {415) 43??8310. {800) 353-1019 Of?ce for Civil Rights, Region 4} TDD - (415} 43?-8311, (300) 53?-?697 90 Street, Suite 4-100 team? (FAX) - (415} 43?-3329 San Francisco, California 94103 September 26, 2012 {bli?ilbliihci Ms. Andrea Wilson, RHIA, CIPP, CIPPIG Privacy Officer Department of Veterans Affairs Veteran?s Health Administration 810 Vermont Avenue, NW. Washington, DC. 20420 OCR Reference number: 12-13442] Dear {bumbling} and Ms. Wilson: On October 27, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint (the complainant) alleging a violation of the Federal Standards for Privacy of individually Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, the complaint alleges that the Veterans Affairs Greater Los Angeles Healthcare System (VA) impermissiny disclosed his protected health information following a June 10, 2011 hospitalization at the Sepulveda VA medical Center, when VA workforce members impermissiny accessed the complainant?s Protected Health Information (PHI) and disclosed to his employer that the complainant?s medical record indicated that he was not at the hospital on June 13, 2011. These allegations could reflect violations of 45 (1F .R. ?164.502. OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. On February 2, 2012 OCR noti?ed VA of the complaint. (in April 18, 2012, OCR received initial response to the allegations. A summary of this response is provided below: 1. VA determined this complaint was valid. Two VA employees accessed the complainant?s PHI, without a work related purpose. It appears this that this access may have been on behalf of supervisory staff of the complainant?s employer. 2. All employees involved in this complaint have received additional training on the requirements of the privacy rule, except for one, who was of?cially removed from employment with VA, due in part to a similar privacy issue. Page 2 12-134421 3. Formal disciplinary action was taken against one of the workforce members, consistent with policy on employee sanctions. In response to ?nding that an impennissihle disclosure of PHI had occurred, OCR instructed VA to conduct a risk assessment pursuant to 45 CFR Sec. 164.4020) in order to determine if the impermissible disclosure had resulted in a substantial risk to the patient of ?nancial, reputational or other harm. VA found that the disclosure in this case may have created such a risk to the complainant. Based on the results of this risk assessment, VA reported the breach to OCR on April 6, 2012, pursuant to 45 CPR ?164.403. VA also noti?ed the complainant of the potential risk. OCR provided technical assistance to VA in identifying what information such noti?cation must include, under 45 C.F.R. ?164.404. The noti?cation to the complainant also extended an offer of free credit monitoring and suggested other steps the complainant may wish to take to protect against the potential risk created by the breach of his OCR attempted to contact the complainant on multiple occasions to discuss the resolution of this case. Unfortunately, at the time of this letter, OCR was not able to reach the complainant. We have reviewed the matters raised in the complaint. All matters raised by this complaint at the time it was filed have now been resolved through the voluntary compliance actions of VA. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in the Privacy Rule complaint that were reviewed by OCR. Under the Freedom of lnfonnation Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Eric Press, Equal Opportunity Specialist at (41 S) 43 7-3321. Sincerely, macaw A Michael Leoz Regional Manager