i


DEPARTMENT OF HEALTH HUMAN SERVICES Of?ce Of the 39m

 

Voice - [300) 363-1019
TDD - (404) 562-1884, (300) 
Fax - (404) 562-7881


Office for Civil Rights, Region IV
Atlanta Federal Center, Suite
16T10

61 Forsth Street. 8.1M.
Atlanta, GA 30303

March 29, 2013
(bl'iBMblUliCl

 

 

 

 

Andrea Wilson, RHIA, CIPP, CIFPIG

Privacy Implementation Coordinator

Veterans Health Administration

Information Access and Privacy Of?ce 810 Vermont Ave. NW
Washington, DC 20420 -

Re: {bifiibmm v. Veterans Health Administration
Our Reference number: 11-134075

 

{bli?libliil

Dear and M3. Wilson:

 

 

 

On August 8, 2011, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of
Individually Identi?able Health Information andfor the Security Standards for the Protection of
Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the
Privacy and Security Rules), and the Breach Noti?cation Rule Subpart D- Noti?cation in Case of
Breach of Unsecured Protected Health Information (45 C.F.R. 164400-164 414).
Speci?cally, the Complainant, {blimibmm states is an
employee of the VA Medical Center in Memphis. {bw?wmm ccessed medical
records on several occasions, most recently on August 4, 2011. {blisiibmm old 
that she accessed his PHI and subsequently, posted that information on Facebook and discussed
it with her friends.  states that he complained to the VA, but nothing was done. These
allegations could re?ect violation of 45 CFR 45 CFR 45 CFR 
164.530(d) and 45 CFR respectively.

 

   
 

 

 

  

 

  
    

 

The Privacy Rule states that a covered entity may only disclose protected health information for
treatment purposes, payment, health care operations, to the individual, or as otherwise permitted

bylaw. See 45 CPR. The Privacy Rule also mandates that a covered entity must

also have in place the appropriate administrative, technical, and physical safeguards to protect
the privacy of protected health information. See 45 C.F.R. A covered entity
must maintain a process by which patients can ?le privacy complaints. See 45 CPR. 
Finally, a covered entity must identify those classes of persons who require
access to protected health information to perform their daily duties. See 45 C.F.R. 

OCR enforces the Privacy, Security and Breach Noti?cation Rules, and also enforces Federal
civil rights laws that prohibit discrimination in the delivery of health and human services because
of race, color, national origin, disability, age, and, under certain circumstances, sex and religion.

On January 8, 2013, OCR noti?ed Andrea Wilson, Privacy Implementation Coordinator

of the complaint against the VA Medical Center in Memphis (hereinafter, 
Speci?cally, we sent the facility a written request for evidence askin that they provide us with a
statement detailing the results of their internal investigation of allegations. We also
requested a copy of policies and procedures relating to safeguards, impermissible uses
and disclosures of protected health information (hereinafter, the privacy complaint
process and the ?minimum necessary? standard. Finally, we requested documentation showing
that was sanctioned! retrained or sanctioned on the aforementioned provisions of
the Privacy Rule if it was ultimately determined that a violation occurred.

Ms. Wilson responded to written request for information on behalf of VAMC on January
29, 2013. In her response, she submitted copies of the requested policies and procedures and
gave OCR written assurances that the facility thoroughly investig allegations
upon receipt of noti?cation. Speci?cally, she told us that ?rst reported the
incident on August 10, 201]. After conducting an audit of lectronic records, the
facility determined that I mperrnissibly accessed his medical record 61 times
between March 2008 and September 2010. When was interviewed, she was unable
to provide a business related reason for accessing medical record.

After  supervisor consulted with Human Resources, VAMC decided to take
disciplinary action against her. Thereafter,me suspended for 14 days from May
through June 9, 2012. A copy of the disciplinary action that became part of her permanent
employee ?le was provided to OCR as evidence.

In sum, while VAMC determined that {blislibliilicl impermissiny accessed (?Emma PHI in
violation of their policies, the facility took appropriate corrective action in response.

Based on the foregoing, all matters raised by this complaint at the time it was ?led have now
been resolved through the voluntary compliance actions of Veterans Health Administration.
Therefore, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Akara Whiten, Investigator, at (404) 562-?189 (Voice),
(404) 562-7884, (800) 537-769? (TDD).

Sincerely,

 

Roosevelt Freeman
Regional Manager