?What.

am;

DEPARTMENT OF HEALTH 8: SERVICES OFFICE OF THE SECRETARY

 

Voice- (215) 361?4441
TDD - (215) 361-4440
FAX - (215) 861-4431


Office for Civil Region 
150 5. Independence Hall West
Public Ledger Building, Suite 

Philadelphla, PA 19106-3499
Reference: 13-15906?
Investigator: Alisha Welch

Contact Telephone: (215} 861-4439

November 12, 2013

 

{bli?l .EbliiliC-l

 

 

 

Dear gbzrarblm 

On October 23, 2013, the U.S. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), received your complaint alleging that the Virginia Department of Veteran
Services, the covered entity, has violated the Federal Standards for Privacy of Individually
Identi?able Health Information andfor the Security Standards for the Protection of Electronic
Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy
and Security Ri?es). Speci?cally, you allege that when you visited the Virginia Department of
Veteran Services, patient ?les were left in an opened, unattended ?ling cabinet. This allegation
could re?ect violation of45 can. manned).l

Thank you for bringing this matter to attention. Your complaint is an integral part of
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion

A covered entity must maintain reasonable and administrative, technical, and
physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation
of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted
or required use or disclosure. 4.5 C.F.R. For example, such safeguards might
include shredding documents containing proteoted health information before discarding them,
securing medical records with lock and key or pass code, and limiting access to keys or pass
codes.

We have carefully reviewed your complaint against the Virginia Department of Veteran Services
and have determined to resolve this matter informally through the provision of technical

 

I You also raises issues about a billing dispute with Family Care West. After our review of
your complaint, we have determined that we do not have jurisdiction to review your billing
dispute with Family Care West.

 

assistance to the Virginia Department of Veteran Services. Should OCR receive a similar
allegation of noncompliance against the Virginia Department of Veteran Services in the ?tture,
OCR may initiate a formal investigation of that matter.

- For your informational purposes, OCR has enclosed material regarding the Privacy Rule
provisions related to Safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal

privacy.

If you have any questions regarding this matter, please contact Alisha Welch, Investigator, at
(215) 861-4439 (Voice) or (215) 861-4439 (TDD).

Sincerely,

59W /W.J/wr?

Barbara J. Hollan
Regional Manager

 

Enclosure: Reasonable Safeguards

 

 

puma
11?,
cf DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY
g5 Voice- (215) 361-4441 Of?ce for Civil Rights, Region 
is. TDD - (215) 361-4440 150 5. Independence Hall West
FAX (215) 861-4431 Public Ledger Building, Suite 372
Wm Philadelphia, PA 19106-3499
Reference: 13-16906?)
Investigator: Alisha Welch

Contact Telephone: (215) 861-4439

November 12, 2013

Virginia Department of Veteran Services
11198 Lee Highway, Unit D4
Fairfax, VA 22030

Dear Sir or Madam:

On October 23, 2013, the U.S. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), received a complaint alleging that the Virginia Department of Veteran
Services, the covered entity, has violated the Federal Standards for Privacy of Individually
Identi?able Health Information andfor the Security Standards for the Protection of Electronic
Protected Health Information (45 CPR Parts 160 and 164, Subparts A, C, and E, the Privacy
and Security Rules). Speci?cally, the complainant alleges that when he visited the Virginia
Department of Veteran Services, patient ?les were left in an opened, unattended ?ling cabinet.
This allegation could re?ect a violation of 45 C.F.R. 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

In this matter, the complainant alleges that the covered entity does not employ reasonable
safeguards to prevent impermissible disclosures of protected health information (PI-H). A
covered entity must maintain reasonable and appropriate administrative, technical, and physical
safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the
Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or
required use or disclosure. 45 CPR 

 

Pursuant to its authority under 45 C.F.R. 160.304{a) and OCR has determined to resolve
this matter informally through the provision of technical assistance to the Virginia Department of
Veteran Services. To that end, OCR has enclosed material explaining the Privacy Rule
provisions related to Reasonable Safeguards.

You are encouraged to review these materials closely and to share them with your staff as part of
the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been any
noncompliance as alleged by the complainant in this matter, and, if so, to take the steps
necessary to ensure such noncompliance does not occur in the future. In addition, OCR
encourages you to review the facts of this individual?s complaint and provide the individual the

 

appropriate written response swiftly if necessary to comply with the requirements of the Privacy
Rule. Should OCR receive a similar allegation of noncompliance against the Virginia
Department of Veteran Services in the future, OCR may initiate a formal investigation of that
matter. In addition, please note that, after a period of six months has passed, OCR may initiate
and conduct a compliance review of the Virginia Department of Veteran Services related to your
compliance with the Privacy Rule?s provisions related to Reasonable Safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Alisha Welch, Investigator, at
(215) 861-4439 (Voice) or (215) 861-4440 (TDD).

Sincerely,

Barbara J. Holland
Regional Manager

Enclosure: Reasonable Safeguards