DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY voiee- (215)861-4441 Office for Civil Rights, Region TDD - (215) 361-4440 150 5. Independence Mall West FAX - (215) 861-4431 Public Ledger Building, Suite Fhlladelphia, PA 19106-3499 Reference: 13-15191 Investigator: Jamie Rahn Ballav Contact Telephone: 215-861-4432 June 2013 {bll?ll?liilicl Ms. Andrea Wilson, RHIA, CIPP, CIPPIG VHA Privacy Implementation Coordinator Information Access and Privacy Of?ce- Department of Veterans Affahs-Vcterans Health Administration 310 Vermont Ave, NW Washington DC 20420 Dear (bl?llbl?'llcl Ms. Wilson: On March 19, 2013, the US. Department of Health and Human Services (HHS), Of?ce Civil Rights (OCR) received a complaint alleging a violation of the-Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health lnfonnation (45 C.F.R. Parts 160 and 164, ?3qu A, C, and E, the Privacyr and Security Rules) against the Veterans Administration Medical Center the Covered Entity) located in Virginia. Speci?cally, the Complainant, alleges tl'at a coworker hnpennissihly accessed her electronic medical record several times beginning in August of 2010. The Complainant alleges that the co?worke? accessed her record prior to being involved in her medical care. These allegations could represent violations of 45 CPR. ?164.502(a) [impermissible usesfdisclosures] and and [safeguards] of the Privacy Rule. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. OCR's review of the Complainant?s Sensitive Patient Access Report (SPAR) reveals that the coworker accessed the Conaplainant?s electronic health record on August 27, 2010. As the coworker was not involved in the Complainant?s care at that time, OCR has determined that the coworker's access to the Complainant?s health record ?or this date was impermissible. As a result of this incident, the Covered Entity suspended the employee for her actions and she was required to successfully complete Plivacv and HIPAA Furthermore the Covered Entity provided OCR with documentation that it has reported this breach to the HHS Secretary, and that it has provided appropriate notice of the breach to the Complainant in accordance with the Breach Noti?cation Rule. Consequently, OCR has determined that all matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of the Covered Entity. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letta' and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Ms. Jamie Rabn Bailey, Investigator, at 215-861-4432. Sincerely, Barbara J. Holland Regional Manager I