if DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY ea Voice - (404) 5624836, (800) 368-1019 Of?ce for Civil Rights, Region IV TDD - {404) 562-7834, (800] 6] Street, SW. (FAX) (404) 562-?381 Atlanta Federal Center, Suite 16T70 Atlanta, GA 30303-8909 June 20, 2012 VHA Information Access and Privacy Of?ce Attn: Andrea Wilson, CIPPIG VHA Privacy Specialist Department of Veterans Affairs 810 Vermont Ave, NW. (1 OPZC) Washington, DC. 20420 Re: vs. VAMC Legington OCR Reference Number: 12-138333 Dear {bli??lxiblmicl a dMs. Wilson: On January 20, 2012, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint from Complainants alleging that VA Medical Center Lexington (hereinafter, is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of Unsecured Protected Health Information (45 CPR. Speci?cally, (?Hamming Complainant, alleges that the VAMC, where he is employed as a police of?cer, impermissiny accessed his PHI beyond the minimum necessary, when on Febru 2 2011, and multiple prior occasions, VAMC medical personnel, and ARPN accessed Complainant?s Veterans Health Record, which is outside the scope of the Complainant?s employee physical. Moreover, Complainant contends that the named Employee Health workforce members are utilizing the PHI in the record to retaliate against him in his capacity as a police of?cer for the VAMC. Finally, upon voicing his grievance to the VAMC, his complaint was disregarded as ?business as usual.? These allegations could re?ect violations of 45 C.F.R. and respectively. . Please note that 45 CPR. 164.502(a) states, in part, that a covered entity may not use or disclose protected health information, except as permitted by the HIPAA Privacy Rule. Also, 45 C.F.R. states that a covered entity must identity the persons in its workforce who need access to PHI to carry out their duties and the categories of PHI to which access is needed, and then make reasonable efforts to limit the access of such person to the categories of PHI as minimally necessary. Additionally, 45 C.F.R. states, in part, that a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, including reasonable safeguards to protect against incidental disclosures. 45 C.F.R. ?164.530(d) requires covered entities to provide a process for individuals to make complaints concerning the covered entity?s policies and procedures or its compliance with the Privacy Rule, and to document such complaints and their resolution. Moreover, 45 C.F.R. states, in part, that a covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the policies and procedure of the covered entity or the Privacy Rule. 45 CPR. ?164.530(f) states, in part, that a covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures. Finally, 45 CPR. ?164.530(g) prohibits a covered entity from intimidating, threatening, coercing, discriminating against, or otherwise retaliating against an individual for exercising such rights under the Rules. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. OCR noti?ed VAMC of the complaint ?led by Complainant on April 30, 2012. This noti?cation was initial written communication with the covered entity about the complaint, and it describes the act(s) andfor omission(s) that are the basis of the complaint. In response to noti?cation, Privacy Implementation Coordinator, Andrea Wilson, submitted a response on behalf of VAMC on June I, 2012. investigation included a review of the covered entity?s pertinent policies and procedures, as well as, the covered entity?s investigation into the allegations. Accordingly, OCR reviewed the policies and procedures produced by VAMC, which included the following: ?Use andfor Access of Employee Health Information,? ?Privacy Policy,? and the procedures included as Attachments OCR examined all of submitted policies and procedures and found no indication of noncompliance with the HIPAA Privacy and Security Rules. OCR also reviewed intemal investigation, as well as proof of HIPAA training documentation. In its response, VAMC admits that its employees within the department of Occupational I and liblislibimim I did impennissibly access the PHI of Complainant without the appropriate authorizations. According to VAMC policy, Occupational Health professionals may not access an employee?s veteran medical record without a Release of Information signed by the employee veteran. In this case, land {blmliblmm accessed Complainant?s veteran medical record through CPRS without such authorization in violation of VAMC policy. However, VAMC reports that such access was made in order to access test results related to Complainant?s required annual examination for employment as a police of?cer and for his participation on the Decon Team. Moreover, in response to the incident as originally reported to the facility Privacy Of?cer (P0) of VAMC, the PO opened an investigation into the matter. OCR found that the PO improperly closed the case on March 26, 2012 without determining a violation. However, the case was reopened by the PO on May 23, 2012 following notice of investigation, at which time the appropriate resolution was determined that a violation had occurred by the Occupational Health employees. Thus, OCR cautions VAMC regarding the thoroughness with which it investigates grievances made by individuals regarding potential privacy violations. Subsequently, on May 23, 2012, the PO provided educational training to the named staff members pursuant to the policy of VAMC. Evidence of the completion of re-training was provided by VAMC. Furthermore, based on the covered entity?s report that the aforementioned Occupation Health staff did verify Complainant?s completed the required tests for the Decon Team as deemed necessary, OCR does not ?nd evidence of retaliatory action. Based on a review of all pertinent policies and procedures that are deemed compliant with the requirements of the Privacy Rule, and the subsequent actions taken by VAMC to voluntarily comply with the Privacy Rule, OCR determines that all matters raised by the complaint, at the time it was ?led, have now been resolved through the voluntary compliance actions of VAMC. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Sonya Hana?, Investigator, at (404) 562-7876 (Voice), or (404) 562-7884 (TDD). Sincerely, Roosevelt Freeman Regional Manager OCR Region IV