DEPARTMENT OF HEALTH 8: HUMAN SERVICES Of?oe 0f the Secretary
Voice - (816} (300) 368-1019 Of?ce for Civil Rights, Region Vli
TDD - (316) 4264065. (800} 5373697 601 East 12th Street. Room 353
Fax - (616} 426-3636 Kansas City, MO 64106


SEP 1 8 21113


 

 

 

 

Ms. Andrea Wilson, Privacy Implementation Coordinator
Department of Veterans Affairs

Veterans Health Administration

VHA Privacy Of?ce (10P2C1)

310 Vermont Avenue, NW.

Washington, DC. 20420

Our Transaction Number: 12-135004

Dear {blislibliilicl and Ms. Wilson:

On November 18, 2011, the US. Department of Health and Human Services (HHS), Office for
Civil Rights (OCR) received correspondence from  iblisl=iblillicl  (Complainant). Based
on his correSpondence, OCR continued its review of the allegations in the complaint ?led by will

on February 22, 2011 (Transaction Number 11?l24330). OCR apologizes for the 'ong
delay in processing this complaint.

 



 

This complaint alleged a violation of the Federal Standards for Privacy of Individually Identi?able
Health Information andl?or the Security Standards for the Protection of Electronic Protected Health
Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules)
by the Veterans Administration Medical Center in Kansas City, Missouri (Covered Entity).
Speci?cally, the Complainant alleged that his protected health information was impermissiny
disclosed to his parole of?cer without his authorization by a Covered Entity employee. Based on
the aforementioned information, OCR investigated this complaint as a potential violation of 45
C.F.R. Sections the use and disclosure standard of the Privacy Rule, and 
the safeguards standard of the Privacy Rule.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces the Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

The Privacy, Security, and Breach Noti?cation Rules apply to covered entities, which include
only: a health care clearinghouse; a health plan; or a health care provider which
transmits any health information in electronic form in connection with a transaction for which
HHS has adopted standards.

 

Page 2 of3, gag,th Wilson, Transaction 12-135004

 

 

 

In a letter dated August 5, 2013, OCR noti?ed the Covered Entity of the Complainant? allegation.
Ms. Andrea Wilson, Privacy Implementation Coordinator, presented the Covered Entity?s
response via correspondence dated August 28, 2013. As part of its investigation of this complaint,
OCR interviewed the Complainant and obtained and reviewed documentary evidence supplied by
the Covered Entity, including the Covered Entity?s policies and practices.

The Complainant alleged that a Covered Entity employee impermissibly disclosed information
about his compliance with and completion of the VA Substance Abuse Residential Rehabilitation
Treatment Program to his parole of?cer. The Complainant asserted that the disclosed information
not only violated his privacy, but was inaccurate. The Complainant told OCR Investigator - .
Smith or. July 29, 2013, that he has been in touch Entity?s Privacy Of?cerW
(?whim since the incident happened. He stated th told him the incident had been
investigated and he received a letter stating that the individual involved in the incident was no
longer employed by the Covered Entity, but as he never received a formal investigation report he
does not know if the matter was really investigated, what the investigation revealed, whether the
individual involved received any disciplinary action, or whether the individual was terminated
because of the incident or left of his own accord. He further stated that he would like to know the
name of the individual who impermissibly disclosed his so that he can file a complaint with
the appropriate state licensing board, but as refused to give him any of this
information.

 

 

 

 

 

The Covered Entity reported that the complaint allegation is valid. The Complainant reported the
incident to the Covered Entity on January 12, 201 I and the situation was investigated, but there
was no evidence that the person the Complainant suspected disclosed his PHI to his a arole of?cer.
Upon further investigation, however, the Covered Entity received cm
the Complainant?s parole officer, that Covered Entity employee libilm?lmm'ici lverbally disclosed
the Complainant?s PHI to her on June 18, 2009. The Covered Ent' to locat=
authorization from the Complainant to provide this information to {Weimjmm although 
reduced a ?Consent for Release of Con?dential Information? signed by the Complainant
on June 17, 2008, that she stated was protocol for all offenders to sign at the start of parole

supervision. The consent form states that it expires one year from the date of signature, which was
June 2009.

 

 

 

 

It is noted that is not the employee the Complainant suspected and named when he

reported the incident to the Covered Entity or when he filed his complaint with OCR. The Covered
Entity reported that separated from Covered Entity employment on January 2, 2010,
which was more than a year - fore the Complainant reported the incident to the Covered Entity.
Nevertheless, the supervisor of the department in whichworked reviewed with all staff
the requirements regarding Veteran authorizations when any information is needed by parole
of?cers, and a notice of the breach was provided to the Secretary of HHS on May 24, 2011. In
addition to its policies and procedures, the Covered Entity provided copies of its investigative
report, noti?cation letter to the Complainant, statement from and authorization form
signed by the Complainant, as well as the breach report submitted to the Secretary of HHS for
review.

 

 

 

OCR has concluded its investigation and notes that all matters raised by the complaint have been
resolved through the voluntary compliance actions of the Covered Entity. Therefore, OCR is
closing this complaint as of the date of this letter. determination as stated in this letter
applies only to the allegations in this complaint that were reviewed by OCR.

 

Page 3 of3, groom I Wilson, Transaction 12-135004

 

 

 

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals or
that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have questions regarding this matter, please contact Venita Smith, OCR Investigator, at
(316) 426-6367 (Voice), (816) 426-7065 (TDD). When contacting this of?ce, please remember to
include the reference number that we have given your file. That number is located in the upper
left-hand corner of this letter.

Sincerely,

Frank Camp ell ?5 

Regional Manager

4"
fr
I