Vm?b i a, DEF HUMAN SE Voice 5654340, (300] 363-1019, TDD 565? 1343, (3'30) Sill-769? FAX 565-3809, Ollie: for Civil Rights, Region I JFK Federal Buildilg, Room 1875' Grimm-lent Canter Andrea Wilson VHA Privacy Implementation Coordinator Information Access and Privacy Of?ce -10P2C1 Department of Veterans A??airs - Veterans Health Administration 310 Vermont Avenue, NW. Washington, DC 20420 Our Reference number: 12-146522 {bili?iibim Dear {c1 Ms. Wilson: On July 31, 2012, the US Department of Health and Human Services (HHS), Of?ce for Civii Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules}. Speci?cally, the complaint alleges that a doctor who was not treating her and her supervisor impermissiny accessed her protected health information on the Veterans Health Administration (VHA) records system. This allegation could re?ect a violation of 45 C.F.R. ?164.502(a) and OCR enforces the Privacy and security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. On October 26, 2012, OCR noti?ed the VHA of the complaint, VHA provided us with written assurance of the following: Complainant?s return to work note was received by the VHA and entered into its employee health record by his role as manager of the Occupational Health Program; when he entered the note w. so sent a receipt acknowledgement request to view complainant?s record to complainant?s manager; though a noti?cation was sent, complainant?s manager did not have permissions to access complainant?s records; against VHA policy, complainant?s manager did access the records system and signed the receipt acknowledgement. VHA has redesigned their work?ow to prevent a recurrence of the issue and trained employees on this process, The VHA has also appropriately sanctioned complainant?s manager for her actions. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of VHA. We have also received copies of policies for safeguarding protected health information, these policies appear to comply with the Privacy Rule. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Phil Lewis, Investigator, at (617) 565-1355 (Voice), (617) 565-1343 (TDD). Sincerely, Mme Peter K. Chan Regional Manager