0? H4

 

am:
he Eng


DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY

Voice - {404) 562-7335, {300) 363-1019 Of?ce for Civil Rights, Region IV
??f'tm TDD - {404) 562-7834, {800) 61 Street, SW.
(FAX) {404) 562-7831 Atlanta Federal Center, Suite 16T70
Atlanta, GA 30303-8909
November 29, 2012

 



 

 

 

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

Ms. Vicki Bowman

VHA Privacy Implementation Coordinator

Information Access and Privacy Of?ce- 10P2C1

Department of Veterans Affairs-Veterans Health Administration
310 Vermont Ave., NW

Washington DC 20420

Re: vs. Ba Pines VA Medical Center
OCR Transaction Number: 11-130323

Dear millille Ms. Wilson and Ms. Bowman:

On July 10, 2011, the US. Department of Health and Human Services (HHS), Office for Civil
Rights (OCR) received a complaint from alleging that Bay Pines VA Medical
Center is in violation of the Federal Standards for Privacy of Individually Identi?able Health
Information andfor the Security Standards for the Protection of Electronic Protected Health
Information (45 C.F.R. Parts 160 and 164, Suhparts A, C, and E, the Privacy and Security
Rules), and the Breach Noti?cation Rule Subpart Noti?cation in Case of Breach of
Unsecured Protected Health Information (45 C.F.R. 164400464414Specl?,? i Complainant and phySIctan assmtant of CE, alle th his ex?glrl
friend, nurse at Bay Pines VA Medical Center), social

 

 

 

security number to alter his accountclaims he guards his SSN well and
suspects that must have obtained his SSN from his medical recordsm
complained to his em lo er, Bay Pines VA Medical Center, which provided accounting of his
records showin accessed his records 55 times. as suspended for 10
days. However, {blmli?liil alleges that Ba Pines VA Medical Center?s own procedures state that
a HIPAA violation should have led to {blislibliilici termination not just a suspension. These
allegations could re?ect violations of 16452803), 

and 164.5300), 164.404(a) and 164.408
respectively.

 

 

Please note that 45 CPR. 164.502(a) states, in part, that a covered entity may not use or
disclose PHI, except as permitted by the HIPAA Privacy Rule. 45 CPR. ?164.5 l4(d)(2) states,

 

in part, that a covered entity must identify those persons or classes of persons, as appropriate, in
their workforce who require access to protected health information to carry out their duties. 45
CPR. ?164.528(b) states, in part, the covered entity must provide the individual with a written
accounting that meets the requirements speci?ed in this subsection, including the disclosures of
protected health information. 45 C.F.R. states, in part, that a covered entity must
have in place appropriate administrative, technical, and physical safeguards to protect the privacy
of protected health information. 45 C.F.R. states, in part, that a covered entity
must provide a process for individuals to make complaints concerning the covered entity?s
policies and procedures. 45 C.F.R. states, in part, that a covered entity must
document all complaints received, and their disposition. 45 C.F.R. states, in part,
a covered entity must have and apply appropriate sanctions against members of its workforce
who fail to comply with the privacy policies and procedures of the covered entity or the
requirements of this subpart. 45 C.F.R. ?164.530(f) states, in part, that a covered entity must
mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use
or disclosure of protected health information in violation of its policies and procedures. 45 CPR.
states, in part, that a covered entity shall, following the discovery of a breach of
unsecured protected health information, notify each individual whose unsecured protected health
information has been, or is reasonably believed by the covered entity to have been, accessed,
acquired, used, or disclosed as a result of such breach. 45 CPR. ?164.403 states, in part, that for
breaches involving less than 500 individuals, the Act provides that a covered entity may maintain
a log of such breaches and annually submit such log to the Secretary documenting the breaches
occurring during the year involved.

OCR enforces the Privacy, Security and Breach Noti?cation Rules, and also enforces Federal
civil rights laws that prohibit discrimination in the delivery of health and human services because
of race, color, national origin, disability, age, and, under certain circumstances, sex and religion.

OCR noti?ed Bay Pines VA Medical Center of the complaint ?led by Complainant. This
noti?cation, which is initial written communication with the covered entity about the
complaint, described the acts that are the basis of the complaint. noti?cation to Bay Pines
VA Medical Center included a written request for the results of their review of the complaint?s
allegations. OCR also requested a copy of Bay Pines VA Medical Center?s policies and
procedures with respect to specific procedures relating to the handling of PHI belonging to their
patients. Ms. Vicki Bowman, Program Specialist for VHA, responded to written request
for information on behalf of the covered entity. -

In the response, Ms. Bowman submitted copies of the requested policies and procedures that are
the subject of the investigation, which are necessary for OCR to determine whether it is
complying with the applicable provisions of the Privacy, Security and Breach Noti?cation Rules.

Ms. Bowman re orts that based on its internal investi ,ation that the original allegations did have
merit in that did in fact accessed medical record a total of 55 times
according to the accounting of disclosures report. rs access of medical record took
place even though there was never a treatment relationship betwee and Our
anal sis of the information gathered through our investigation discloses that the actions of
i

?31 of Bay Pines VA Medical Center were not consistent with the internal policies and
procedures related to the impermissible use of and the safeguarding of PHI. An internal

 

investigation reveals that due to the impermissible access of medical record,
(W6). ould be subject to the sanctions in accordance to the internal policy.

analysis of the information gathered through our investigation re?ect that there was not a
violation of Bay Pines VA Medical Center?s sanction policy and that the 10-day suspension that
received was in fact consistent with the time frame designated in the intemal
sanctions policy. In addition to properly sanctioning Bay Pines VA Hospital took the
following voluntary corrective measures to demonstrate its willingness to voluntarily comply
with the citied provisions of the Privacy Rule: The VHA ?led a timely breach report in
compliance with the reporting procedures in place for breaches affecting less than 500
individuals; In light of the potential ?nancial harm that the Complainant may have suffered
due to the breach, the Covered Entity provided the Complainant with credit monitoring of all
three major credit agencies; The Covered Entity sanctioned ith a ten (10) day
suspension in accordance to their sanctions policy. The Covered Entity also provided additional
training and has documented all of these actions in her employment record.

Based on the foregoing, we have determined that the corrective action measures taken by Bay
Pines VA Medical Center and VHA are suf?cient to effectively resolve the issues raised by
Complainant, and furthermore demonstrate willingness to voluntarily comply with the
applicable provision of the Privacy, Security and Breach Noti?cation Rules. As part of its
investigation, OCR also reviewed the covered entity?s internal policies and procedures applicable
to and 
164.5306), 164.404 and 164.408 of the HIPAA Privacy and Breach Noti?cation
Rules. Our review of the same deems them to be compliant with the Privacy and Breach
Noti?cation Rules.

Therefore, OCR has determined that all matters raised by this complaint, at the time it was ?led,
have now been resolved through voluntary compliance actions of Bay Pines VA Medical Center.
We are accordingly closing this case. determination as stated in this letter applies only to
the allegations in this complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect the information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
pnvacy.

 

 

If you have any questions, please contact Anitra Moreland, Investigator, at (404) 562-7521
(Voice), or (404} 562-7884 (TDD).

Sincerely,

J'Eiie

P?oose Freeman

egional Manager