DEPARTMENT OF HEALTH 8; HUMAN SERVICES OFFICE OF THE SECRETARY voice 4212) 254-3313, (corn 363-1019 Of?ce for Civil Rights, Region II TDD - {212) 264-2355, (soc) Jacob Javits Federal Building -(212) 264-3039 26 Federal Plaza, Suite 3312 New York, NY 10278 ibiiBitbitTitGi APR 0 2. 2013 Ms. Andrea Wiison, RHIA, CIPP, VHA Privacy Implementation Coordinator Information Access and Privacy Of?ce- 1DPZC1 Department of Veterans Affairs?Veterans Health Administration 810 Vermont Ave, NW Washington DC 20420 Our Reference Number: 12-141596 I. .I no Ms. Wilson: On April 2 2012, the US. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) received a complaint alleging that Island Musculoskeletal Care (the covered entity) is in violation of the Federal Standards for Privacy of Individually Identifiable Health Information andlor the Security Standards for the Protection of Electronic Protected Health Informati (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, {bii?i'ibi'mici alleges that in February Ia staff member at the covered entity, impermissiny accessed his protected health information. These allegations could reflect violations of 45 C.F.R. and respectively. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race. color, national origin, disability, age, and under certain circumstances, sex and religion. On August 2, 2012 OCR noti?ed the Covered entity of the complaint. We have reviewed the matters raised in the complaint. The complainant advised OCR that he is an employee and a patient at the covered entity. The complainant asserts that he was advised by another employee that the staff member had accessed his protected health information. In response, the complainant requested an audit of his medical records to determine if staff members hadinappropriately accessed his medical records. The complainant asserts that he reviewed the sensitive patient access report and found that the staff member had accessed his medical record. The complainant also advised OCR that the covered entity acknowledged that the staff member impermissiny accessed his medical record. On April 4, 2012, the covered entity forwarded the complainant a letter of apoiogy notifying him of the incident. The covered entity advised OCR that on March 26, 2012, the complainant requested a copy of his sensitive patient access report and discovered that the staff member, who is his co?worker, had accessed his medical record on February 2, 2012. The covered entity advised OCR that it had conducted an internal investigation and found that the staff member had no reason to access the Page 2 and Ms. Andrea Wilson complainant's electronic health record in the performance of her work duties. As a result of this incident the covered entity implemented corrective actions. The covered entity advised OCR that on August 14. 2012. the staff member was retrained on the covered entity's Privacy and Information Security Awareness and Rules of Behavior and on October 3, 2012, the staff member was disciplined. The covered entity provided OCR supporting documentation of the disciplinary action and training. The covered entity provided OCR with its written assurance that it conducted the required risk assessment. The covered entity informed OCR of its conclusion that the impermissible access of the individuals protected health information did amount to a ?breach? requiring notification to the complainant and HHS Secretary because the breach posed a significant risk of harm to the complainant. The covered entity provided OCR a copy of its noti?cation letter to the complainant and reported the breach to the Secretary as required by the Rule. .AII matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of the covered entity. Therefore. OCR is closing this case. OCR's determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. in the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Kelli Robinson, Investigator, at 212-264-3314. {3,485 (m a C. Colon Regional Manager Office for Civil Rights