.a DEPARTMENT OF HEALTH 3: HUMAN SERVICES OFFICE OF THE SECRETARY 3, voice taco) sea-101s Of?ce for Civil Rights, Region TDD - {315} 42B-T065. (800] 53?-?69? 601 East 12th Street, Roam 353 ?that: (FAX) - (815} 425.3536 Kansas City, Missouri 64106?28] 7 JUL 1 1 2013 Ms. Andrea Wilson VHA Privacy Of?cer Department of Veterans Affairs Veterans Health Administration 810 Vermont Avenue, NW. Washington, D.C. 20420 {bli?llblillicl Our Reference number: 12- 146259 - is 6th Dear Ms, Wilson and it it it it i On July 26, 2012, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules) by the VA Comery-O?Nea] Medical Center in Topeka, Kansas. Specifically, the complainant, aIleged that the VA violated the Privacy and Security Rules when a third party, misrepresenting herself as his attorney, impermissiny got his protected health information without his authorization. These allegations could re?ect violations 01?45 C.F.R. 164.502, the use and disclosure standard of the Privacy Rule, and the safeguard standards of the Privacy Rule, respectively. OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. On December 21, 2012, OCR sent the VA a noti?cation letter about the complaint. On April 18, 2013, the VA responded to OCR and stated that it investigated the complaint, and was able to substantiate a violation of complainant?s medical records. The VA reported that it gave the employee who impermissiny disclosed complainantis protected health information additional training on how to handle subpoenas and other legal demands for documents. The VA also submitted, as precautionary process to avoid complainant?s protected health information being used to establish a false account without his consent, the VA Network Security Operations Center event ticket. When OCR contacted complainant on at: 512013 in order to con?rm if he got a letter of apology from the VA, complainant acknowledged that the VA did provide him with an apology. The VA also provided OCR with documentation of all the measures that were taken following the impermissible disclosure. Page 2 of2 Wilson and ?2??le 12-146259 All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of the VA. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. in the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Joseph Ndifor, lnvesti gator, at (Voice), (816) 426- 7236. Sincerely, Frank Campbell 2% Regional Manager