amen.

 

 

 

 

 

 

it:
DEPARTMENT OF HEALTH 3.- HUMAN SERVICES OFFICE OF THE SECRETARY
'55 Voice? {206} {Still} 362-1219 Of?ce for Civil Ri hts, Re ion 

TDD - (206} 615-2296. (300} 2201 Sixth Avenue. Mail Stop RK-ll
- (206} Seattle, WA PSIILISSI

3!th 0 3 2013
Date;


Department of Veterans Affairs

Veterans Health Administration
VHA Privacy Of?ce
810 Vermont Ave., NW.
Washington, DC 20420

RE: OCR Transaction Number 13-153225

 

 

Deal- and ]{bl{3lx{b2{?l{3l

 

 

 

 

 

 

On December 19, 2012 the US. Department of Health and Human Services (HHS), Office for Civil
Rights (OCR) received a complaint from ?Complainant"} alleging that the VA Puget
Sound Health Care System was in no ation of the Federal Standards for Privacy of
Individually Identi?able Health lnfonnation andlor the Security Standards for the Protection of Electronic
Protected Health Information (45 CPR Parts 160 and 164, Subparts A, C, and E, the Privacy and
Security Rules). Speci?cally, Complainant, an employee of alleged that in October 2012 she
received a letter from the Privacy Officer notifying her that her health record had been
inappropriately accessed by another employee, Administrative Assistant These allegations
raised issues of possible noncompliance with 45 CPR. 164.502(a) Impermissible Uses and
Disclosures; 164.530(c} Safeguards; Risk Analysis; Risk
Management; ?Workforce Security; Information Access Management;
and 164.312[a) Access Controls.

 

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit
discrimination in the delivery of health and human services because of race, color, national origin,
disability, age, and under certain circumstances, sex and religion.

OCR also received complaints from two other employees who alleged impermissible access to
their electronic protected health information during this time period by the same individual. Those
complaints, and the information provided with them, were incorporated into this investigation.

In response to complaint noti?cation, the Veterans Health Administration (VHA) Privacy Of?ce
stated that the VAPSI-ICS Privacy Officer had received a complaint in July 2012 from a different
employee regarding Ms. impermissible access to her electronic protected health information. A

 

 

Transaction No. 13-153225 Page 2 of3

Privacy and Security Event Tracking System ticket was issued to the Incident Response Team for review
of this matter, and the allegations were investigated. The investigation found that had
inappropriately accessed the records of numerous employees. Disciplinary action was recommended to
her supervisor and Human Resources, and this was implemented in January 2013. The information
provided OCR re?ects that the investigation found that 38 individuals? electronic protected
health information had been impermissiny accessed. Noti?cations were sent to the affected individuals
on October 9, 2012, which included an offer of free credit monitoring. The VI-IA Privacy Of?ce provided
OCR with a case summary, an extract from the Sensitive Patient Access Report, the tracking ticket report,
an example breach noti?cation letter, its breach noti?cation to the Secretary, and relevant correspondence
and policies. OCR also reviewed documents provided by one of the other Complainants referred to above,
including her breach noti?cation letter, a November 26, 2012 memorandum reporting the investigation, a
complete Sensitive Patient Access Report, and her July 17, 2012 internal complaint letter.

The Privacy Rule issues raised by this complaint at the time it was ?led were addressed by 
voluntary remedial action. However, one Complainant here also alleged that she only learned of the
breach of her records much later, when she was asked by Iwhether she had received a letter and
then followed up with the Privacy Of?cer. She then [canted that her October 9, 2012
noti?cation letter had been returned undelivered because she had moved. DeSpite the fact that she is a
employee, no further attempts were apparently made to notify her. The Breach Noti?cation
Rule provides that where contact information is insuf?cient or out of date for ten or fewer affected
individuals, a covered entity shall provide substitute notice by an alternate means, such as telephone.
Where more than ten persons are involved, a covered entity is required to make substitute notification by
either making a conspicuous posting on its web site or by placing a notice in major print or broadcast
media. See 45 C.F.R. The complaint allegations reflect that these requirements may not
have been met in the case of this individual, and we request that the Privacy Of?ce take all
necessary steps to ensure that complies with these noti?cation requirements in the future.

 

The Security Rule issues regarding the safeguards in the electronic medical record system identi?ed
here by OCR were not addressed in the VHA Privacy Office?s response to this complaint. However,
Headquarters staff is currently working with VHA privacy of?cials to resolve such issues with the
VHA medical record system on a national level. We are therefore closing this transaction and referring
the matter to OCR Headquarters for review as a part of those efforts.

determination as stated in this letter applies only to the allegations in this complaint that were
reviewed by OCR and does not apply to any other issues regarding compliance with the Privacy and
Security Rules.

Please note that no covered entity may intimidate, threaten, coerce or discriminate against an individual
because he or she has made a complaint, testi?ed, assisted, or participated in any manner in an action to
secure rights protected by the Privacy Rule enforced by OCR.

Under the Freedom of Information Act, it may be necessary for OCR to release this document and related
correspondence and records upon requcsa In the event OCR receives such a request, we will seek to

 

 

 

Transaction No. 13-153225 Page 3 of 3

protect, to the extent provided by law, personal information which, if released, would constitute an
unwarranted invasion of privacy.

If you have any questions, please contact Terrill Clements of my staff at 206-615-2287.
Sincerely,

(Ma?a,

Linda Yuu Connor
Regional Manager
Of?ce for Civil Rights

 

 

 

fun-snugay



 

 

(- DEPARTMENT on HEALTH 3; HUMAN OFFICE or THE SECRETARY
?v?oicc - {206i 6 I 5-2290. {Still} JoZ-l 7 0 Office for Civil Rights, Region 
TDD . (106)615-2296, (soot est-to)? 2201 Sixth Avenue, Mail Stop Rx.?
-{206i615-229? Seattle, wa aster?1331

{blt?itblti'ltcl Date: MAY 0 3 lei'i

 

 

 

RE: OCR Transaction Number 13-153225

 

6 i 
Demi?li it it it i

 

 

 

On November 14, 2012 the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights received your complaint alleging that the VA Puget Sound Health Care System
was in violation of the Federal Standards for Privacy of Individually Identi?able Health
Information andr'or the Security Standards for the Protection of Electronic Protected Health Information
(45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, your
complaint alleged that workforce members of the PSI-ICE impennissibly accessed your electronic
protected health information. As you were advised by OCR on April 9, 2013, your complaint, and the
information you provided OCR, were consolidated with an existing OCR complaint investigation
regarding this issue. A third complaint about this matter was also consolidated with this investigation.

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit
discrimination in the delivery of health and human services because of race, color, national origin,
disability, age, and under certain circumstances, sex and religion.

In response to complaint noti?cation, the Veterans Health Administration (VHA) Privacy Of?ce
stated that the Privacy Of?cer had received your complaint in July 2012 regarding 
employee mpermissible access to your electronic protected health information. A Privacy
and Security Event Tracking System ticket was issued to the Incident Res Team for review of this
matter, and the allegations were investigated. The investigation found that had inappropriately
accessed the records of numerous employees. Disciplinary action was recommen to her supervisor and
Human Resources, and this was implemented in January 2013. The information provided OCR re?ects
that the investigation found that 33 individuals? electronic protected health information had
been impennissibly accessed. Noti?cations were sent to the affected individuals on October 9, 2012,
which included an offer of free credit monitoring. The V1 IA Privacy Office provided OCR with a case
summary, an extract from the Sensitive Patient Access Report, the tracking ticket report, an example
breach noti?cation letter, its breach noti?cation to the Secretary, and relevant correspondence and
policies. OCR also reviewed the documents you provided, including your breach noti?cation letter, the
November 26, 2012 memorandum reporting the investigation, the Sensitive Patient Access Report, and
the July 17, 2012 internal complaint letter.

The Privacy Rule issues raised by this complaint at the tinre it was ?led were addressed by 
voluntary remedial action. However, the Security Rule issues regarding the safeguards in the VHA
electronic medical record system identi?ed here by OCR were not addressed in the VHA Privacy Of?ce?s
response to this complaint. Headquarters staff is currently working with them to resolve such

 

 

Transaction No. 13-153225 Page 2 of 2

issues with the VHA medical record system on a national level. We are therefore closing this transaction
and referring the matter to OCR Headquarters for review as a part of those efforts.

determination as stated in this letter applies only to the allegations in this complaint that were
reviewed by OCR and does not apply to any other issues regarding compliance with the Privacy and
Security Rules.

Please note that no covered entity may intimidate, threaten, coerce or discriminate against an individual
because he or she has made a complaint, testified, assisted, or participated in any manner in an action to
secure rights protected by the Privacy Rule enforced by OCR.

Under the Freedom of Information Act, it may be necessary for OCR to release this document and related
correspondence and records upon request. In the event OCR receives such a request, we will seek to
protect, to the extent provided by law, personal information which, if released, would constitute an
unwarranted invasion of privacy.

If you have any questions, please contact Terrill Clements of my staff at 206-615-2287.
Sincerely,

Wdemav

Linda Yuu Connor
Regional Manager
Of?ce for Civil Rights

 

 

 

 



qr

 

 

a a DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY
'5 Voice - {300} 3624??) Office for Civil Rights, Region 
mm" TDD (300] 2201 Sixth Avenue. Mail Stop RK-ll
(206) 65429? Seattle, WA 98I2l-1831


Dm, no 03 2013

 

 

 

RE: OCR Transaction Number 13-] 53225

 

Dear 

 

 

 

On April 3, 2013 the U.S. Department of Health and Human Services (HHS), Of?ce for Civil Rights
(OCR) received your complaint alleging that the VA Puget Sound Health Care System was
in violation of the Federal Standards for Privacy of Individually Identi?able Health Information andlor the
Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and
164, Subparts A, C, and E, the Privaev and Security Rules}. Speci?cally, your complaint alleged that
workforce member 'El?dW? Iirnpermissibly accessed your electronic protected health care
information. As you were advised by OCR on April 9, 2013, your complaint was consolidated with an
existing OCR complaint investigation regarding this issue. A third complaint about this matter was also
consolidated with this investigation.

 

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit
discrimination in the delivery of health and human services because of race, color, national origin,
disability, age, and under certain circumstances, sex and religion.

In response to complaint noti?cation, the 1Veterans Health Administration Privacy Office
stated that the Privacy Of?cer had received a complaint in July 2012 from an employee
regarding mpermissible access to her electronic protected health information. A Privacy and
Security Event Tracking System ticket was issued to the Incident Response Team for review of this
matter, and the allegations were investigated. The investigation found that Ms. PM-F had inappropriately
accessed the records of numerous employees. Disciplinary action was recommended to her supervisor and
Human Resources, and this was implemented in January 2013. The information provided OCR re?ects
that the investigation found that 33 individuals? electronic protected health information had
been impennissibly accessed. Noti?cations were sent to the affected individuals on October 9, 2012,
which included an offer of free credit monitoring. The VHA Privacy Of?ce provided OCR with a case
sununary, an extract from the Sensitive Patient Access Report, the tracking ticket report, an example
breach noti?cation letter, its breach noti?cation to the Secretary, and relevant correspondence and
policies. OCR also reviewed documents provided by one of the Complainants, including her breach
notification letter, a November 26, 2012 memorandum reporting the investigation, a complete Sensitive
Patient Access Report, and her July 2012 internal complaint letter.

The Privacy Rule issues raised by these complaints were addressed by voluntary remedial
action. However, your com laint also alleged that you only leamed of the breach of your records later,
when you were asked by whether you had received a letter and then followed up with the
Privacy Of?cer. You then learned that your October 9, 2012 noti?cation letter had been
returned undelivered because you had moved. Despite the fact that you are a employee, no

  
 

 

Transaction No. 13-153225 Page 2 of 2

further attempts were apparently made to notify you. The Breach Noti?cation Rule provides that where
contact information is insuf?cient or out of date for ten or fewer affected individuals, a covered entity
shall provide substitute notice by an alternate means, such as telephone. Where more than ten persons are
involved, a covered entity is required to make substitute noti?cation by either making a conspicuous
posting on its web site or by placing a notice in major print or broadcast media. See 45 C.F.R. 
Your allegations re?ect that these requirements may not have been met in your case. We
have therefore advised the VHA Privacy Of?ce of this and requested that they take all necessary steps to
ensure that complies with these noti?cation requirements in the future.

The Security Rule issues regarding the safeguards in the VHA electronic medical record system identi?ed
here by OCR were not addressed in the VHA Privacy Office?s response to this complaint. However,
Headquarters staff is currently working with them to resolve such issues with the VHA medical
record system on a national level. We are therefore closing this transaction and referring the matter to
OCR Headquarters for review as a part of those efforts.

determination as stated in this letter applies only to the allegations in this complaint that were
reviewed by OCR and does not apply to any other issues regarding compliance with the Privacy and
Security Rules.

Please note that no covered entity may intimidate, threaten, coerce or discriminate against an individual
because he or she has made a complaint, testi?ed, assisted, or participated in any manner in an action to
secure rights protected by the Privacy Rule enforced by OCR.

Under the Freedom of Information Act, it may be necessary for OCR to release this document and related
correspondence and records upon request. In the event OCR receives such a request, we will seek to
protect, to the extent provided by law, personal information which, if released, would constitute an
unwarranted invasion of privacy.

If you have any questions, please contact Terrill Clements of my staff at 206-615-2287.
Sincerely,

Linda Yuu Connor
Regional Manager
Of?ce for Civil Rights