lull-nu



3
U.S. DEPARTMENT OF HEALTH 36 HUMAN SERVICES
Of?ce of the Regional Manager
Of?ce for Civil Rights
999 18th Street, South Terrace, Suite 417
Denver, Colorado 80202
Telephone: (303} 844-7915
FAX: (303) 344-2025
TDD: (303) 344-3439

 

December 21, 2012

 



 

 

 

Andrea Wilson, Privacy Implementation Coordinator
Department of Veterans Affairs

Veterans Health Administration

VHA Privacy Of?ce (10P2C 1)

810 Vermont Avenue, NW.

Washington, DC 20420

 

6 . .
Re: v. Department of Veterans Affairs

OCR Transaction Number: 12-138734

 

 

 

 

db 
Dear EC): 

Ms. Wilson:

On February 2012, the U.S. Department of Health and Human Services (HHS Of? I
Civil Rights (OCR), Region received the above?referenced complaint 
(Complainant). In it, Complainant alleged that the Department of Veterans airs, tern 
Colorado Health Care System (DVA) was not in compliance with the Federal Standards for
Privacy of Individually Identi?able Health Information andfor the Security Standards for the
Protection of Eiectronic Protected Health Information (45 Code of Federal Regulations (C.F.R.)
Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally,
Complainant alleged that DVA impermissiny disclosed and failed to safeguard her protected
health information (PHI) when a DVA director disclosed the PHI, via correspondence dated
January 26, 2012, to a Congressman. OCR investigated Complainant?s allegations as potential
violations of 45 C.F.R. 164.502(a) (impermissible disclosures); and l64.530(c) (safeguards)
and (mitigation).

 

 

 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules. OCR also enforces Federal
civil rights laws that prohibit discrimination in the delivery of health and human services because
of race, color, nationai origin, disability, age, and, under certain circumstances, sex and religion.

 

Page 2

OCR noti?ed DVA of the subject complaint on March 3, 2012, and DVA submitted its response
on April 2, 2012. DVA denied any violation of the Privacy Rule, stating that its actions were
taken in compliance with internal policies and procedures.

A covered entity, such as DVA, may not use or disclose PHI except as permitted or required by
the Privacy Rule and must have in place appropriate safeguards to protect the privacy of PHI.1
The Privacy Rule permits disclosures to a family member, other relative, or a close personal
friend of the individual, or any other person identi?ed by the individual,2 of the directly
relevant to such person?s involvement with the individual?s care or payment related to the
individual?s health care.3 If the individual is present for, or otherwise available prior to, such a

permitted use or disclosure and has the capacity to make health care decisions, the entity may use

or disclose the PHI if it: obtains the individual?s agreement; provides the individual with the
opportunity to object to the disclosure, and the individual does not express an objection; or
reasonably infers from the circumstances, based on the exercise of professional judgment, that
the individual does not object to the disclosure." The entity must also mitigate, to the extent
practicable, any harmful effect known to it of a use or disclosure in violation of its policies and
procedures.5

OCR collected doctunentary evidence from Complainant and OVA, including: (1) an
Authorization Sheet, completed and signed by Complainant, dated January 9, 2012, and provided
by the Congressman?s office to (2) Checklist for Responding to Congressionais,
which DVA completed to facilitate its response to the Congressman; (3) response letter
to the Congressman, dated January 26, 2012; and (4) the Congressman?s response letter to
Complainant, dated January 2012. OCR also reviewed relevant sections of policies
and procedures regarding responses to Congressional inquiries and found that they are consistent
with the Privacy Rule?s requirements regarding the subject complaint?

 

?45 CPR. 164.502(a) and respectively.

2 Disclosures to persons who are not family members, relatives, or close personal friends of the
individual, are permissible, provided the covered entity has reasonable assurance that the person
has been identified by the individual as being involved in his or her care or payment.

3 45 can. 
4 45 can. 
5 45 can. 

?5 OCR reviewed relevant language in policies and procedures, including: Privacy Policy,
Attachment Cat-l, Uses/Disclosures for Treatment, Payment, and Health Care Operations, and
Other Operations Not Requiring Authorization; and VHA Handbook 1605.], Privacy and
Release of Information.

 

Page 3

During its investigation, OCR learned that DVA has established a checklist procedure to
facilitate its responses to Congressional inquiries. In the instant case, OCR found that although
DVA perrnissibly disclosed relevant PHI upon reasonable assurance that Complainant had
identi?ed the Congressman as being involved in her care, the DVA employee preparing the
response had incorrectly completed the checklist. In addition, in initially responding to OCR,
DVA misidenti?ed its permissible basis for the disclosure at issue; DVA lacked a valid
authorization, pursuant to the Privacy Rule?s requirement and its internal policy and procedure;
however, it did have a copy of the original correspondence from Complainant requesting the
Congressman?s assistance. OCR provided DVA technical assistance on uses and disclosures for
involvement in an individual's care.

To resolve the subject complaint, on November 1, 2012, DVA provided training to relevant staff
responsible for Congressional responses. OCR received documentation of the staff training.

All matters raised by the subject complaint at the time it was ?led have now been resolved
through voluntary compliance actions. Therefore, OCR is closing the complaint,
effective the date of this letter. determination as stated in this letter applies only to the
allegations in the complaint that OCR reviewed.

Under the Freedom of Information Act, we may be required to release this letter and other
information about the subject case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
pnvacy.

If you have any questions regarding the Privacy Rule or disposition of the subject
complaint, please contact me at 303-844-7915, or Ms. Meghana Shah, .D., Equal Opportunity
Specialist, at 303 -844?0542 or  y_ gait-Ital I, gill 11.5. v. Thank you.

 

Sincerely. . 



Velvet'a Howell
Regional Manager