scum-?
co



0? ?lurk.




1

DEPARTMENT or HEALTH HUMAN SERVICES Of?ce ofthe Secretary

 

Of?ce for Civil rights. Region IV
Atlanta Federal Center

61 St. SW. Suite 
Atlanta. GA 30303

Voice (404] 562-7885. (800) 368?1019
TDD - (404) 331-2861 (800) 5317697
Fax - (404) 562??881



March 20, 2012
(MIGMWOIC)

 

 

 

 

VHA Information Access and Privacy Of?ce
Attn: Andrea Wilson, 

VHA Privacy Specialist

Department of Veterans Affairs

810 Vermont Ave, NW. (10P2C)
Washington, D.C. 20420

RE: on behalf of (WINWIWNC) v. Central Alabama Veterans Health Care System

Reference number: 11-135298

 

 



 

Dear and Ms. Wilson:

 

 

On October 29, 201], the Department of Health and Human Services (HHS), Of?ce for Civil Rights
(OCR) received a complaint alleging a violation of the Federal Standards for Privacy of Individually
Identi?able Health Information, the Security Standards for the Protection of Electronic Protected
Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security
Rules), and/or the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of Unsecured
Protected Health Information (45 C.F.R. 164400164414). Speci?cally, the complaint
alleges that an employee of Care Ambulance Service a business associate of Central Alabama
Veterans Health Care System, Montgomery, AL (CAVHCS), sawat MVAMC and posted
information about it on wwfacebookcom. These allegations could re?ect violations of 45 CPR. 
164.502(e) and 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil
rights laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

On February 14, 2012, OCR noti?ed CAVHCS of the allegations in the complaint. In response,
CAVHCS acknowledged that we brought to CAVHCS by Care, and it acknowledged
that a Care employee recognized and posted information about his visit to CAVHCS on
After CAVHCS received notification of the incident on November I, 2011, it
noti?ed Care and reported the incident to HHS as a Breach of unsecured protected health information
(PHI). Care retrained its staff on the Veterans Health Administration?s privacy policies. Care also
terminated the responsible employee.

 

All matters raised by this complaint at the time it was ?led have now been resolved through the
voluntary compliance actions of Central Alabama Veterans Health Care System, Montgomery, AL.

 

Although CAVHCS acknowledged that its business associate discloseHl, the

business associate terminated the responsible employee and retrained its staff. CAVHCS noti?ed the
complainant and HHS of the disclosure. Therefore, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that were
reviewed by OCR. OCR only reviewed the evidence submitted pertinent to resolving the issue raised
in the complaint.

Under the Freedom of Information Act, we may be required to release this letter and other information
about this case upon request by the public. In the event OCR receives such a request, we will make
every effort, as permitted by law, to protect information that identi?es individuals or that, if released,
could constitute a clearly unwarranted invasion of personal privacy. -

If you have any questions, please contact William Corriher, Investigator, at (404) 562-7523 (Voice),
(404) 562-7884 (TDD).

Sincerely ur

   
   

oosevelt Freeman
Regional Manager

DEPARTMENT or HEALTH HUMAN SERVICES Of?ce ofthe Secretary

 

 

Voice - (404) 562-7886, (800) 368-1019 Of?ce for Civil rights, Region IV
TDD (404) 331-2857. (soc) ear-r697 Atlanta Federal Center

Fax - (404) 552-7331 61 St. SW. Suite 
Atlanta GA 30303

March 20, 2012
(bli?liblii?licl

 

 

 

 

VHA Information Access and Privacy Of?ce
Attn: Andrea Wilson, 

VHA Privacy Specialist

Department of Veterans Affairs

810 Vermont Ave, NW. (10P2C)
Washington, DC. 20420

RE: ?on behalf of (bli?l?mlwm v. Central Alabama Veterans Health Care System
erence number: 11-135298


Dear igw and Ms. Wilson;

 

 

 

 

 

 

 

 

 

On October 29, 2011, the Department of Health and Human Services (HHS), Of?ce for Civil Rights
(OCR) received a complaint alleging a violation of the Federal Standards for Privacy of Individually
Identi?able Health lnforrnation, the Security Standards for the Protection of Electronic Protected
Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security
Rules), and/or the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of Unsecured
Protected Health Information (45 C.F.R. Speci?cally, the complaint
alleges that an employee of Care Ambulance Service a business associate of Central Alabama
Veterans Health Care System, Montgomery, AL (CAVHCS), sawat MVAMC and posted
information about it on WW.faCBb00k.C0m. These allegations could re?ect violations of 45 C.F.R. 
164.502(e) and 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil
rights laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

On February 14, 2012, OCR noti?ed CAVHCS of the allegations in the complaint. In response,
CAVHCS acknowledged tha as brought to CAVHCS by Care, and it acknowledged
that a Care employee recognand posted information about his visit to CAVHCS on
After CAVHCS received noti?cation of the incident on November 1, 2011, it
noti?ed Care and reported the incident to HHS as a Breach of unsecured protected health information

(PHI). Care retrained its staff on the Veterans Health Administration?s privacy policies. Care also
terminated the responsible employee.

All matters raised by this complaint at the time it was filed have now been resolved through the
voluntary compliance actions of Central Alabama Veterans Health Care System, Montgomery, AL.

 

Although acknowledged that its business associate disclose PHI, the
business associate terminated the responsible emplOyee and retrained its staff. CAVHCS noti?ed the
complainant and HHS of the disclosure. Therefore, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that were
reviewed by OCR. OCR only reviewed the evidence submitted pertinent to resolving the issue raised
in the complaint.

Under the Freedom of Information Act, we may be required to release this letter and other information
about this case upon request by the public. In the event OCR receives such a request, we will make
every effort, as permitted by law, to protect information that identifies individuals or that, if released,
could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact William Corriher, Investigator, at (404) 562-7523 (Voice),
(404) 562-7884 (TDD).

Sincerely yours,

 

Regional Manager