?qu?w ,6 a if 4 DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY Voice - (404) 562-7386. taco) 363-1019 Of?ce for Csivil lights, Region Iv Too - (404) 562-7384, (soc) ear-res? 6 tree, . . Atlanta Federal Center, Suite 16T70 (404) 5624.881 Atlanta, GA 30303-3909 April 29, 2013 VHA Information Access and Privacy Of?ce Attn: Andrea Wilson, CIPPIG VHA Privacy Specialist Department of Veterans Affairs 310 Vermont Ave, NW. Washington, DC. 20420 Re; libieitbimtci [v3 VA Marion OCR Transaction Number: 12-1382]? . Dear {Wle and Ms. Wilson: On January 27, 2012, the US. Department of Health and Hu 1.: rvices Of?ce for Civil Rights received a complaint from Complainant, alleging that the Marion Veterans Administration Medical Center is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of Unsecured Protected Health Information (45 CPR Speci?cally, {5 {b {7 ?led this complaint on behalf of and alleges that a member of the i- - - - entity?s workforce impermissiny disclosed {bli?libliilic?l PHI when heishe left medical records in the visitor?s lounge on October 31, 201 1. These records were found by Complainant?s daughter near the magazines in the MVAMC lounge. These allegations could re?ect violations of 45 CPR 164.53 and 164.5300), respectively. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and, under certain circumstances, sex and religion. Page 1 of 3 The Privacy Rule states that a covered entity may not use or disclose protected heaith information, except as permitted or required by the Rule. Sea 45 C. FR I 64.50.2621). The Privacy Rule further states the covered entity must have appropriate safeguards to protect the privacy of its patients' protected health information. See 45 CPR. 164.5 In addition, the Privacy Rule mandates that a covered entity must mitigate any harmful effect that is known to a covered entity of a use or disclosure of protected health information in violation of its policies and procedures. See 45 GER. 59164. 53009. OCR noti?ed the MVAMC of the complaint ?led by the Complainant on May 3, 2012. This noti?cation was initial written communication with the covered entity about the complaint, and it describes the act(s) andfor omission(s) that are the basis of the complaint. In response to notification, VHA Privacy Specialist, Andrea Wilson, submitted a response on behalf of the MVAMC on July 18. investigation included a review of the covered entity?s pertinent policies, procedures, and practices, as well as, the circumstances regarding the alleged violation(s). Accordingly, OCR reviewed the policies and procedures produced by the MVAMC, which included the following: ?Reasonable Safeguards,? ?Sanctions,? ?Privacy Training and Education,? and other policies and procedures. OCR examined all of the submitted policies and procedures and found no indication of noncompliance with the HIPAA Privacy and Security Rules. MVAMC also provided OCR with the following documents: ?Record of Contact,? SOC Ticket,? ?Report to Secretary of ?Credit Monitoring Noti?cation Letter,? and ?Re- training PowerPoint and Sign In Sheets.? In its response, the MVAMC reports that based on its internal investigation, it was in violation of the cited provisions of the Privacy Rule. Based on analyzing the information gathered through investigation, OCR found that the MVAMC did not comply with the Privacy Rule provisions restricting impermissible disclosures of patient PHI and requiring implementation of safeguards, in violation of the own policies and procedures. The evidence showed the following: (I) the facility Privacy Of?cer did not receive a complaint from the patient or his family; (2) the P0 was informed by the MVAMC Medical Director that there was another legal action taking place involving the care and the complaint included the PHI documents that were found by the Complainant; (3) the PO veri?ed that rovider is no longer employed by (4) thus, he! she was unable to be interviewed; (5) the PO met with the Nurse on Duty at the time of the incident, who stated that she and the provider met with {blimiblmm family in the inpatient medical lounge to go over medical documents from Herron Hospital; (6) no other patients were present in the lounge; when other patients did need the lounge, the discussion moved to the nurses? station; (8) the documents found were not Herron Hospital documents, but were created or otherwise maintained by and, (9) MVAMC was unable to determine how the Complainant (or otherwise other family member) found and removed PHI. Page 2 of 3 Based on this admission of noncompliance, the MVAMC provided OCR with written assurance of the following corrective measures: (1) VANSOC has provided credit monitoring to the patient; (2) the incident was subsequently reported to HHS (as a Breach Report); (3) MVAMC provided re-training to the ward staff; (4) the Privacy Of?cer will continue to monitor compliance through routine EOC round and ad hoc observations and Privacy training presentations. Based on a review of all pertinent policies and procedures that are deemed compliant with the requirements of the Privacy Rule, and the subsequent actions taken by the MVAMC to voluntarily comply with the Privacy Rule, OCR determines that all matters raised by the complaint, at the time it was ?led, have now been resolved through the voluntary compliance actions of the Bureau, and therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Andrew Mahler, Investigator, at 404-562-7865 (Voice), (404) 562-7834 (TDD), or via e-mail at AndrewMahlermsgov. Since ly, osevelt Freeman Regional Manager, Region IV Page 3 of 3