Voice- {215) 351-4441 Office for Civil Rights, Region TDD - {215) 361-4440 150 5. Independence Mall West FAX - {215) 851-4431 Public Ledger Building, Suite Philadelphia, PA 19106-3499 f?mm DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY 4 Reference: 153785, 153739, 153?90, 153791 Investigator: Amy Kaplan Contact Telephone: 215-361-4446 September 4, 2013 Department of 1Veterans Affairs Veterans Health Administration VHA Privacy Of?ce (IOPZCI), Ms. Andrea Wilson 310 Vermont Avenue, NW Washington, DC 20420 {blt?libltiltcl DearlMs. Wilson: I {blt?libltiltcl On January 9, 2013, the Department of Health and Human Services Of?ce for Civil Rights (OCR) received a complaint alleging that the Department of Veterans Affairs, VHA, Wilmington VA Medical Center is not in compliance with the Federal standards for privacy of individually identi?able health information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts C, and E, the Privacy and Security Rules). Speci?cally, ibl353=itliilt33 alleged that numerous staff members impermissiny accessed her electronic medical record ?le she was a patient without consent or authorization. This allegation could re?ect a violation of 45 (ll-7.12.. regarding impennissibie disclosure of protected health information, and or 45 CPR. regarding safeguards. OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. On May 29, 2013, OCR noti?ed the Department of Veterans Affairs, Veterans Health Administration regarding the Wilmington Veterans Administration Medical Center We have reviewed the matters raised in the complaint. The VHA provided OCR with written asswance of the following: The comlainant alleged I and ibii?lihl'iilicl LPN, impermissiny accessed her electronic medical recor. reviewin the Sensitive Patl nt Access Report (SPAR), the facility Privacy Of?cer determined that Idid not access the complainant?s health record. However, the complainant alleged that {UliBHbli?ilicl convinced libliBlibl'lil'lCl I Quality Manager, to have her daughter, Ibis] WW go into the comlainant?s records to look for information. The WVAMC Privacy O?icer questioned she stated that she has not accessed the complainant?s health record, nor did she ever an one to access the complainant?s health record. A signed statement was provided to OCR. stated that she never asked her daughter to impermissiny access the complainant?s . A statement provided I noted that on Apri129, 2009, her osition as Administrative Assistant to the Associate Director for Patient Care Services included developing a shared folder that tracked ED visits, for the purposes of accessing staf?ng needs, patient ?ow and quality of care. At that time, [noted that they mutiner reviewed each case, whether Veteran or non-Veteran that utilized the Wilmington ED. The WVAMC noted that LPN, accessed the complainant?s health record a total of ?ve times. He stated that the accessed her record twice in April 2009 and twice in January 201] because he was curious about her age. On January 8, 2013, he noted that be possibly accidentally clicked on her name in the health record because he was receiving a possible admission of a patient from the ED and wanted to read up on his chart and the patient was also a patient in the ED that day. As a result of the findings, the VHA found some of the comlaint to be valid as it was determined that were- imermissibly accessed health record. AS such, wvamc sanctioned they submitted a Privacy and Security Event ticket (ream) and the VA incident Response Team determined that a noti?cation letter should be sent to the complainant [sent on July 5, 2013) and the breach was reported to HHS on July id, 2012. in addition, completed additional HIPAA education on October 2, 2012. The VHA noted t1-_ - {bli?libliilicl nor {bli?ziblmisl cess to iblli?litliili?l health record. was not on the SPAR list received and RN is no longer employed with VAMC Wilmington. was informed of these ?ndings in a letterdatedJuly 5, 2013. ii {bli? indicated that she believed that libi'i?ilibimici Ihad her daughter, ?Emma go into the record for her, howeverm is no longer an employee and could not be further questioned. The Privacy Rule at 45 C.F-R. provides that a covered entity must have and apply appropriate sanctions against members of its workforce who fail with the privacy policies and procedures of the covered entity. In so far as the individual alleged to have made the impermissible access is no longer employed, and there are no indications of systemic compliance de?ciencies, there is no action that can reasonably be taken to Further address this matter. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of the VHA. Therefore, OCR is closing this case. . determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make ever},r effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Amy Kaplan, at (215) 861-4446. Sincerely, bara J. Holland Regional Manager Voice- {215) 361-4441 Office for Civil Rights, Region TDD - {215) 361-4440 150 5. Independence Mall West FAX - {215) 851-4431 Public Ledger Building, Suite Philadelphia, PA 19106-3499 f?mm DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY i Reference: 153785, 153739, 153?90, 153791 Investigator: Amy Kaplan Contact Telephone: 215-361-4446 September 4, 2013 Department of 1Veterans Affairs Veterans Health Administration VHA Privacy Of?ce (IOPZCI), Ms. Andrea Wilson 310 Vermont Avenue, NW Washington, DC 20420 Dear Ms. Mlson: On January 9, 2013, the Department of Health and Human Services Of?ce for Civil Rights (OCR) received a complaint alleging that the Department of Veterans Affairs, VHA, Wilmington VA Medical Center is not in compliance with the Federal standards for privacy of individually identi?able health information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts C, and E, the Privacy and Security Rules). Speci?cally, I alleged that numerous staff members impennissibly accessed her electronic medical record while she was a patient without consent or authorization. This allegation could re?ect a violation of 45 (ll-7.12.. regarding impermissible disclosure of protected health information, and or 45 ORR regarding safeguards. OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. 011 May 29, 2013, OCR noti?ed the Department of Veterans Affairs, Veterans Health Administration regarding the Wilmington Veterans Administration Medical Center We have reviewed the matters raised in the complaint. The VHA provided OCR with written asSurance of the following: The complainant alleged I and LPN, impermissiny accessed her electronic medical record. In reviewing the Sensitive Patient Access Report (SPAR), the facility Privacy Of?cer determined that I did not access the complainant?s health record. However, the complainant alleged that ibibiim'i'?ul convinced rimming Quality Manager, to have her daughter, go into the comlainant?s records to look for information. The WVAMC Privacy O?icer questioned and she stated that she has not accessed the complainant?s health record, nor did she ever ask an one to access the complainant?s health record. A signed statement was provided to OCR. ibi'iBJ-ibimici stated that she never asked her daughter to impermissiny access the complainant?s health record. A statement provided bylibliw?iilicl [noted that on Apri129, 2009, her position as Administrative Assistant to the Associate Director for Patient Care Services included developing a shared folder that tracked ED visits, for the purposes of accessing staf?ng needs, patient ?ow and quality of care. At that time, Inoted that they mutiner reviewed each case, whether Veteran or non-Veteran that utilized the Wilmington ED. The wvamc noted thetlibi'i?liwcl ILPN, accessed the complainant?s health record a total of ?ve times. He stated that the accessed her record twice in April 2009 and twice in January 201] because he was curious about her age. On January 8, 2013, he noted that be possibly accidentally clicked on her name in the health record because he was receiving a possible admission of a patient from the ED and wanted to read up on his chart and the patient was also a patient in the ED that day. detennined that {blimiblmm impermissiny accessed health record. As such, WVAMC sanction rescue) a they submitted a Privacy and Security Event ticket (PSETS) and the VA incident espouse "earn determined that a noti?cation letter should be sent to the compl July 5, 2013) and the breach was reported to HHS on July id, 2012. In addition, talent?) . itional HIPAA education 011 October 2, 2012. The VHA noted that ne1ther (?Emma norlmisliblmicl had any access to libl?libliilml I health record (butane)th was not on the 1 mead andlibretthleltcl is no longer-emp oy with VAMC Wilmington. Ms. Thomas was informed of these ?ndings in a letter dated July 5, 2013. indicated that she believed that I?bmmirm Ihad her daughter, [bli?libliilicl into the record for her, Iis no longer an employee As a result of the fmdi s, the VHA found some of the comlaint to be valid as it was I and could not be further questioned. The Privacy Rule at 45 C.F-R. provides that a covered entity must have and apply appropriate sanctions against members of its workforce who fail tocomply with the privacy policies and procedures of the covered entity. In so far as the individual alleged to have made the irnpemtissible access is no longer employed, and there are no indications of systemic compliance de?ciencies, there is no action that can reasonably be taken to Further address this matter. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of the VHA. Therefore, OCR is closing this case. . determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make ever},r effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Amy Kaplan, at (215) 861-4446. Sincerely, bara J. Holland Regional Manager Voice- {215) 361-4441 Office for Civil Rights, Region TDD - {215) 361-4440 150 5. Independence Mail West FAX - {215) 851-4431 Public Ledger Building, Suite Philadelphia, PA 19106-3499 f?m'te, DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY i Reference: 153785, 153739, 153?90, 153791 Investigator: Amy Kaplan Contact Telephone: 215-361-4446 September 4, 2013 Department of 1Veterans Affairs Veterans Health Administration VHA Privacy Of?cg I 310 Vermont Avenue, NW Washington, DC 20420 {bli?l {bit?till?) I r' {blt?iibiti?iici On January 9, 2013, the Department of Health and Human Services Of?ce for Civil Rights (OCR) received a complaint alleging that the Department of Veterans Affairs, VHA, Wilmington VA Medical Center is not in compliance with the Federal standards for privacy of individually identi?able health information andror the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts C, and E, the Privacy and Security Rules). Speci?cally, limiilibliilicl Ialleged that numerous staff members. impennissibly accessed her electronic medical record while she was a patient without consent or authorization. This allegation could re?ect a violation of 45 (ll-7.12.. regarding impermissible disclosure of protected health information, and or 45 CPR. regarding safeguards. OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. 011 May 29, 2013, OCR noti?ed the Department of Veterans Affairs, Veterans Health Administration regarding the Wilmington Veterans Administration Medical Center We have reviewed the matters raised in the complaint. The VHA provided OCR with ?mitten aSSurance of the followin: The comlainant alleged Either? and LPN, impermissiny accessed her electronic medical record. In reviewin the Sensitive Patient Access Report (SPAR), the facility Privacy Of?cer determined that libii?iibimici ldid not access the complainant?s health record. However, the complainant alleged that ?DWiWi'il convinced i Quality Manager, to have her daughter, tibial-mm) Igo into the comlainant?s records to look for information. The WVAMC Privacy O?icer questioned stated that she has not accessed the complainant?s health record, nor did she ever ask anyone to access the complainant?s health record. A signed statement was provided to OCR. ibii?l-ibliili?ll stated that she never asked her daughter to impermissihly access the complainant?s health record. A statement provided bylihlt?lthitiit?i noted that on Apri129, 2009, her position as Administrative Assistant to the Associate Director for Patient Care Services included developing a shared folder that tracked ED visits, for the purposes of accessing staf?ng needs, patient ?ow and quality of care. At that time, looted that they mutiner reviewed each case, whether Veteran or non-Veteran that utilized the Wilmington ED. The WVAMC noted that LPN, accessed the complainant?s health record a total of ?ve times. He accessed her record twice in April 2009 and twice in January 201] because he was curious about her age. On January 8, 2013, he noted that be possibly accidentally clicked on her name in the health record because he was receiving a possible admission of a patient from the ED and wanted to read up on his chart and the patient eras also a patient in the ED that day. As a result of the ?ndings, the VHA fotmd some of the complaint to be valid as it was determined that Iimpermissibly accessed health record. As such, WVAMC sanctioned they submitted a Privacy an ecurity Event ticket (PSETS) and the VA incident Response cam determined that a noti?cation letter should be sent to the complainant sent on July 5, 2013) and the breach was reported to HHS on July id, 2012. in additionation on October 2012. The VHA noted nor ?0 {Bub had cess to {Waiibimmi health [record. mimic) was not on the SPAR 11st received and ?bHB-?Mmci . RN 1s no longer employed with VAMC Wilmington. was informed of these ?ndings in a letter dated July 5, 2013. {histamine} indicated that she believed that libi?iitb?tiitm had her daughter, ?Whining: Igo into the record for her, howeve bi'miiblm 13 no longer an employee and could not be further questioned. The Privacy Rule at 45 C.F-R. provides that a covered entity must have and apply appropriate sanctions against members of its workforce who fail tocomply with the privacy policies and procedures of the covered entity. In so far as the individual alleged to have made the impermissible access is no longer employed, and there are no indications of systemic compliance de?ciencies, there is no action that can reasonably be taken to Further address this matter. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of the VHA. Therefore, OCR is closing this case. . determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make ever},r effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Amy Kaplan, at (215) 861-4446. Sincerely, bara J. Holland Regional Manager Voice- {215) 351-4441 Office for Civil Rights, Region TDD - {215) 361-4440 150 5. Independence Mall West FAX - {215) 851-4431 Public Ledger Building, Suite Philadelphia, PA 19106-3499 f?mm DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY i Reference: 153785, 153739, 153?90, 153791 Investigator: Amy Kaplan Contact Telephone: 215-361-4446 September 4, 2013 Department of 1Veterans Affairs Veterans Health Administration VHA Privacy Of?ce (IOPZCI), Ms. Andrea Wilson 310 Vermont Avenue, NW Washington, DC 20420 {Dlt?l DearlMs. Mlson: I On January 9, 2013, the Department of Health and Human Services Of?ce for Civil Rights (OCR) received a complaint alleging that the Department of Veterans Affairs, VHA, Wilmington VA Medical Center is not in compliance with the Federal standards for privacy of individually identi?able health information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts C, and E, the Privacy and Security Rules). Speci?cally, Ialleged that numerous staff members. impermissiny accessed her electronic medical record while she was a patient without consent or authorization. This allegation could re?ect a violation of 45 (ll-7.12.. regarding impermissible disclosure of protected health information, and or 45 CPR. regarding safeguards. OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. 011 May 29, 2013, OCR noti?ed the Department of Veterans Affairs, Veterans Health Administration regarding the Wilmington Veterans Administration Medical Center We have reviewed the matters raised in the complaint. The VHA provided OCR asswance of the followin: The comlainant alleged tltallibii?libllilici (Miami??mi I - and LPN, impermissiny accessed her electronic medical record. In reviewin the Sensitive Patient Access Report (SPAR), the facility Privacy Of?cer determined that {bli?libliilim did not access the complainant?s health record. However, the complainant alleged thatlialbl Iconvincedlibli?liblii'icl I 5 Quality Manager, to have her daughter, Igo ta mlainant records to look for information. The WVAMC Privacy O?icer questioned and she stated that she has not accessed the complainant?s health record, nor did she ever ask an one to access the complainant?s health record. A signed statement was provided to OCR. stated that she never asked her daughter to impermissiny access the complainant?s health record. A statement provided by Inoted that on Apri129, 2009, her position as Administrative Assistant to the Associate Director for Patient Care Services included developing a shared folder that tracked ED visits, for the purposes of accessing staf?ng needs, patient ?ow and quality of care. At that time, lnoted that they mutiner reviewed each case, whether Veteran or non-Veteran that utilized the Wilmington ED. the wvamc noted that LPN, accessed the complainant?s health a total of ?ve times. He stated that the accessed her record twice in April 2009 and twice in January 201] because he was curious about her age. On January 8, 2013, he noted that be possibly accidentally clicked on her name in the health record because he was receiving a possible admission of a patient from the ED and wanted to read up on his chart and the patient was also a patient in the ED that day. As a result of the ?ndings, the VHA fotmd some of the complaint to be valid as it was determined that {bli?liblillicl imermissibly accessed health record. As such, WVAMC sanctioned they submitted a Privacy and Security Event ticket (PSETS) and the VA incident Response Team determined that a noti?cation letter should be sent to the complainant [sent on July 5, 2013) and the breach was reported to HHS on July to, 2012. In addition, completed additional HIPAA education on October 2, 2012. The VHA noted that neither nor had an access to {bl?ltbliiltcl health record. was not on the SPAR list received andl'iblislibliilisl IRN is no longer employed with VAMC on. was informed of these ?ndings in a letterdatedJuly 5, 2013. jets . indicated that she believed that had her daughter, go into the record for her, however Katherine is no longer an employee and could not be further questioned. The Privacy Rule at 45 C.F-R. provides that a covered entity must have and apply appropriate sanctions against members of its workforce who fail toeomply with the privacy policies and procedures of the covered entity. In so far as the individual alleged to have made the impermissible access is no longer employed, and there are no indications of systemic compliance de?ciencies, there is no action that can reasonably be taken to ?irther address this matter. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of the VHA. Therefore, OCR is closing this case. . determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make ever},r effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Amy Kaplan, at (215) 861-4446. Sincerely, bara J. Holland Regional Manager