l7 i?p-Ial Ira-o Cr mm #5 o! it?? DEPARTMENT OF HUMAN SERVICES OffiCEOfthe 539mm? Voice - (404) 562-T386. {800} 368-1019 Of?ce for Civil Rights, Region IV TDD - {404} 5623884, {800) 531769? Atlanta Federal Center, Suite Fax (404) 562-?381 1mm 61 Street. SW. Atlanta, GA 30303 June 24, 2013 Ms. Vicky Bowman, VA. Medical Center - Fayetteville 2300 Ramsey St. Fayettevilic, NC 28301 RE: v. VA. Medical Center - Fayetteville Reference No: 12-135332 Dear and Ms. Bowman: On November 7, 2012, the Department of Health and Hum Services (HHS), Of?ce for Civil Rights (OCR) received a complaint from lalleging non-compliance with the Federal Standards for Privacy of Individually Identi?able Health Information and/or the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the ?Privacy and Security Rules?) and the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of Unsecured Protected Health Information (45 can. alleged that her PHI was disclosed by the VA for non authorized purposes. These allegations could potentially re?ect a violation of the Privacy Rule. See 45 C.F.R. 164.502(a) and OCR enforces the Privacy and the Security Rules, and also enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and, under certain circumstances, sex and religion. The Privacy Rule states that a covered entity may not use or disclose protected health information except as permitted or required by the Privacy Rule. See 45 CPR The Privacy Rule also mandates that a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. See 45 C.F.R. A covered entity must develop criteria designed to limit access to protected health information to the information reasonable necessary to accomplish the purpose of the disclosure. See 45 C.F.R. 164.5 l4(d)(l On April 4, 2012, OCR noti?ed VA. Medical Center Fayetteville (hereinafter of the privacy complaint ?led by and requested certain documents and information related to the facts alleged. Beginning in April 20i2 through June 23, 2013 VAMCF provided a response to the allegations, along with various other policies related to this matter. From our review of the relevant documents and allegations, it appears that Wreceived a call from another veteran acquaintance. During the discussion, he referenced some of the health care treatment she was receiving that indicated he or someone else had accessed her medical rocord. sought a copy of her access report and learned that a close friend of the person that had called her had accessed her record. When questioned by the Privacy of?ce, the person identi?ed could not account for her access. The Privacy Rule requires that covered entities have reasonable safeguards that limit disclosures of PHI to those authorized by the Rule. When a suspicious access is identi?ed, it is incumbent on the covered entity to account for the access, and if it cannot do so, to review its safeguards and take corrective action, as necessary. In this case, the employee 'was sanctioned and counseled of the importance of accessing PHI for only purposes authorized under the Rule. Accordingly, the matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance action of VAMCF. Accordingly, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. OCR only reviewed the evidence of record pertinent to resolving the issues raised by you in the aforementioned complaint. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Elliott Schwab at (404) 562-390 (Voice), (404} 562-7884 (TDD). Sincerely, Roosevelt Freeman Regional Manager