?'55



DEPARTMENT OF HEALTH 3: HUMAN SERVICES

Voice? (215) 861-4441
TDD (215)861-4440
FAX - (215) 861-4431

OFFICE OF THE SECRETARY

Of?ce for Civil Rights, Region 
150 5. Independence Mall West
Public Ledger Building, Suite 322
Philadelphia, PA 19106-3499

ov ocr

12-141408
Array Kaplan
215?861-4446

Reference:
Investigator:
Contact Telephone:

April 22, 2014

Department of Veterans Affairs

Andrea Wilson, RHIA, CIPP

WA Information Access and Privacy Of?ce
810 Vermont Avenue, NW

Washington, DC 20420

 

{bll?llbl?llcl

 

 

 

(13115103117110

Dearth 1.th ll 1 I

 

On March 26, 2012, the US. Department of Health and Human Services (HHS), Of?ce for Civil

Rights (OCR) received a complaint alleging that Hampton Roads VA Medical Center is not in

compliance with the Federal standards for privacy of individually identi?able health information

and/or the Security Standards for the Protection of Electronic Protected Health Information 45

can. Parts 160 and 164, Subparts c, and E, the Privacy and Security Rules). Speci?cally
alleged that on October 25, 2011, the Hampton VA Medical Center release 

PHI regarding a medical visit to his employer without consent or authorization. This allegation

could re?ect a violation of 45 CPR. regarding impermissible disclosure of
protected health information, and or 45 CPR. regarding safeguards.

OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit
discrimination in the delivery of health and human services because of race, color, national
origin, disability, age, and under certain circumstances, sex and religion.

On October 5, 2012, OCR noti?ed the Department of Veterans Affairs (VA) regarding the
complaint.

We have reviewed the matters raised in the complaint. The VA provided OCR with written
assertion of the following: The complainant alleged that the Veterans Administration Medical
Center (VAMC) in Hampton, VA disclosed information to his employer stating that he was not
seen in the ER on October 12, 2011. Speci?cally, the complainant alleges that staff member
{bli?l-ibliilicl impermissiny con?rmed that the complainant did not receive any emergency
services on a speci?c date to his employer without his consent. The VA assured OCR that their
Privacy Of?cer and the VHA Privacy Of?cer have thoroughly reviewed the complaint.

 

Controller for the Navy Pay and Personnel Support Center sent an email to 
who is the Executive Assistant to the VAMC Director regarding the complainant.
(WNW) is not employed by the VAMC. The complainant appears to be an employee of the

The VA indicated that the information requested was veri?cation that the complainant

was seen at the VAMC on Setember 26, 2011 per a fax that was provided to the on

VAMC letterhead. stated she was performing a fact ?nding investigation

concerning one of the employees.

The VA noted that the faxed document was on VAMC letterhead (a copy of which was provided
for OCR review) and contained information that the complainant was in the emergency room on

VAMC. The VA further explained that the email mess. was shared with
the Assistant Chief of Human Resources at the VAMC, A copy of the email


September 26'h from 12:00 to 4:00 and had a VAMC employee?s name printed at the bottom

of the document. The employee, is a medical Clerk workin at the Hampton

it: from
{bll?libl WC)

message dated October 7, 2011 was provided to OCR IsTbsequently sent a message

 

 

 

 

to to follow?up with the request. contacted the Chief of the
Health Administration Service (HAS) to verify if the comp ainant was seen at the VAMC per the
faxed document and inquired about the process of clerks providing this information outside of

 

VA. ?bJ?BJ-?bmm Chief of HAS. responded that there was no appointrnent for the
complainant svstern for 1he date in question. imi?j-?m?ij?? Ithen forwarded the email

 

 

 

 

message back to ?bj?mbjm?m from the which did not contain the full name of the
complainant.

 

 

Upon further review and interv? ew withWA Medical Clerk, the VA determined
that the complainant contacted 3? 3 by telephone requesting an appointment list in order

 

to provide information to his?emp oyer. The complainant was faxed a letter regarding his
appointment in the Medical Specialty Clinic per his request that included a signed VA form 10-
2382. The faxed document on VA letterhead was not signed byliblisl-iblmicl Ialso
recalls receiving a telephone call regarding the faxed document he provided the complainant and
he transferred the call to the Release of Information Unit per VA Policy. He provided on
information over the telephone. (A statement was provided to OCR)

On January 26, 2012, the Privacy Officer received a telephone call from the complainant that his
information regarding his medical appointment was provided to his employer via an email
message. The complaint was entered into the VA Network and Security Operations System and
investigated. It was determined that the faxed doctnnent that was provided to the complainant
had been altered to state that the complainant was in the VAMC ER on September 26th from
12:00 to 4:00pm. The investigation did con?rm that forwarded information
denying that the complainant was seen in the VAMC ER on the date in question. The email was
sent and did contain the full name of the Veteran which is against VA policy.

It was also determined that the ?rst party requests ?'om Veterans for information from their
health records should be referred to the facility Release of Information Unit in lieu of faxing
documents directly to the Veterans.

The explained to OCR that the complainant was provided a response from the VAMC
Director informing him that his name was included in an email that was sent outside of the VA
which is against the VA policy, however, it was determined that a breach did not occur as the
VA only denied that there was an appointment on a date provided by the and confirmed
that a document provided on VA letterhead appeared to be altered. The VA continued that the
complaint was valid since the email was sent outside of the VA on an email
containing the full name of a Veteran. The complainant was provided noti?cation on January
27, 2012 and the Medical Center Director apologized for any inconvenience or concern that this
situation may have caused. The Privacy Of?cer instructed the employees involved in this

land immature) I to retake their VA Privac and Information Security
and HIPAA training regarding the handling of Veteran information. no longer is

employed with the VAMC.

 

 

All matters raised by this complaint at the time it was ?led have now been resolved through the
voluntary compliance actions of the VA. Therefore, OCR is closing this case.

OCR's determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact 'Amy Kaplan, at (215) 861-4446.

Sincerely,



Barbara J. Holland
Regional Manager