o? 11mm. 
i

 

sum-1,. 

DEPARTMENT OF HEALTH 8: HUMAN SERVICES Of?ce Of the WW

 

Voice - {404} ssz-rsse, (soc) 363?1019
TDD - {404} 562-?834, {soc} 537-769?
Fax - (404} 562-7881


Of?ce for Civil Rights, Region IV
Atlanta Federal Center. Suite
16T70

61 Forsth Street, SW.
Atlanta. GA 30303

December 11, 2012

 

{bit?itbitiitci

 

 

 

Ms. Andrea Wilson, RHIA, CIPP, 
Privacy Implementation Coordinator
Information Access 8.: Privacy Of?ce
Department of Veterans Affairs

810 Vermont Ave, NW.

Washington, DC 20420

 

 

 

 

 

{bit?ltbiti?itci
Re: vs. Tennessee Valley Healghcare System
Our Reference number: 04-1 1-128549
. 
Dear and Ms. Wilson:

 

 

 

On June 2, 201 l, the US. Department of Health and Human Services 1H HS), Of?ce for

Civil Rights (OCR) received a complaint filed by {biisiibmici (Complainant), alleging
that the Tennessee Valley Healthcare System (TVHS), the covered entity (CE), located in
Murfreesboro, Tennessee, is not in compliance with the Federal Standards for Privacy of
Individually Identi?able Health information andior the Security Standards for the Protection of
Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the
Privacy and Security Rules, and the Breach Noti?cation Rule Subpart - Noti?cation in Case of
Breach of Unsecured Protected Health Information (45 C.F.R. 

 

 

 

The complaint alleges that violations of the Privacy Rule occurred on during the period June
2006 - October 2010, when her protected health information (PHI) was impennissibly accessed
without prior authorization. Speci?cally, Complainant alleges that several employees not
directly involved in her care, including supervisors, physicians in Nashville who were
administrators, staff involved in evaluating her work, and nurses who worked With her,
impen?nissiblyr accessed her PHI over the course of her employment. Complainant further alleges
that the subject workforce members continued to be employed, yet she received a one year
membership for fraud protection. These allegations copld re?ect potential violations of 45
C.F.R. 164.502 [uses and disclosures of 164.514 [minimum necessary], and

 

[reasonable safeguards], respectively.

OCR enforces the Privacy, Security and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion. 

The Privacy Rule states that a CB may not use or disciOse PHI, except as permitted or required
by the Rule. (See 45 C.F.R. must also have in place appropriate
administrative, technical, and physical safeguards to protect the privacy of PHI. (See 45 C.F.R.
This standard requires that CBS make reasonable efforts to pievent uses and
disclosures of PHI that are not permitted by the Rule. Accordingly, the Rule _so requires that
CBS implement reasonable safeguards to limit incidental uses or disclosures of? PHI. (See 45
CFR The Rule further provides that a CE must provide a process for individuals
to make complaints concerning the policies and procedures required by the Rule, or its
compliance with such policies and procedures. (See 45 C.F.R. 

OCR noti?ed Ms. Andrea Wilson, Privacy Coordinator, of the complaint ?ledjagainst the CE. In
addition, OCR reported the allegations in the complaint and requested that the CE provide
documentation regarding its internal investigation. OCR also requested a copy of the 
policies and procedures. In correspondence dated November 14, 2011, the CE responded to the
complaint, acknowledging that a privacy infraction occurred.

examination of this matter reveals that the CE reported that Complainant ?led a claim
with the Office of Inspector General and the claim was; subsequently submitted to the TVHS
Privacy Of?cer, Mr. Larry Young on February 8, 2011. Subsequently Complainant was
contacted to obtain additional information, and the CE prepared a Sensitive Patient Access
Report (SPAR), during January 1, 2006 through December 31, 2009, the period in which
Complainant was employed with the CE. The results of the SPAR audit included 41 pages of
data for Complainant?s record, and 16 individuals were identi?ed as to whether they had a need
to know, and thus would have had a permissible reason to access Complainant?s records. Each
individual was contacted on March 4, 2011, and asked to provide a written statement regarding
their access. Signi?cantly, the record re?ects that of the 16 staffers contacted, eleven (1 1)
individuals obtained impermissible access consistent with Complainant?s claim. All such
documentation has been submitted to OCR.

review of the submission determined that?a HIPAA privacy breach was in fact
substantiated, and corrective actions taken. Correctiveiactions involved the following: Mr. Juan
Morales, Director TVHS, was noti?ed via memorandui?n of the results of the SPAR audit. Two
(2) of the affected employees retired one in August 2 10 and another in April, 2011. All eleven
(1 l) of the offenders who accessed Complainant?s re were required to receive remedial
HIPAA training, for which certi?cates for restraining ere issued. In addition, nine of the
remaining offenders received verbal counseling which as documented in their of?cial ?les. The
CE issued a memorandum to all TVI-IS employees ad essing improper access of medical
records, and a reminder that it is inappropriate to cond ct such actions. Finally, Complainant
was issued a letter of apology (LOA) regarding the su l'ect privacy breach, advised that actions

were taken to address the offending sta?ers, and offereizl the opportunity to participate in an
identity theft protection program for a period of one (1) year.

In light of the foregoing, OCR determined that the CE has taken appropriate corrective action
steps to mitigate the harm described in the subject complaint. Based on the aforementioned
actions, all matters raised by this complaint at the time .it was ?led have now been resolved
through the voluntary compliance actions of Tennessee Valley Healthcare System. Therefore,
OCR is closing its ?le regarding this matter. determination as stated in this letter applies
only to the allegations in this complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personalprivacy.

If you have any questions, please contact Ms. Ingrid Dove, Investigator, at (40:4) 562-787?
(Voice), or (404) 562-7384 (TDD). 

Sincerely,

 
  

 

Rooseve Freem
Regional Manager