as anti-h. 55-" .50? ?913. 1 ?a DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY awn Voice - {404) 562-?836, {eon} see-1019 Of?ce for Civil Rights, Region iv ?was TDD -{c04) 552-7834, (300) sat-res? 61 Street, SW. {404} 562-7881 Atlanta Federal Center, Suite l6T't?0 - . Atlanta, GA 30303-3909 December 13, 2012 Ms. Andrea Wilson, RHIA, CIPP, CIPPIG VHA Privacy Implementation Coordinator Information Access and Privacy Of?ce 10P2C1 Dept. of Veteran Affairs Veterans Health Administration 810 Vermont Ave NW Washington, DC 20420 . Re: vs. VAMC Lexmgton OCR Reference Number: 12-138438 De?ciencies) and Ms. Wilson: On January 31, 2012, the US. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) received a complaint alleging that Lexington VA Medical Center is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of Unsecured Protected Health Information (45 CPR. Speci?cally, Complainant, alleges that Lexington VA Medical Center (hereinafter, where he is employed as a police of?cer, impermissiny accessed his PHI beyond the minimum necessary, when in July 2010 and various times from July 2011 through September 2011 and Iaccessed Complainant?s Veterans Health Record, which is outside the scope of Complainant?s employee physical. These allegations could re?ect violations of 45 CPR. and respectively. Please note that 45 CPR 164.502(a) states, in part, that a covered entity may not use or disclose protected health information, except as permitted by the Privacy Rule. Also, 45 CPR. states that a covered entity must identity the persons in its workforce who need access to PHI to carry out their duties and the categories of PHI to which access is needed, and then make reasonable efforts to limit the access of such person to the categories of PHI as minimally necessary. Additionally, 45 C.F.R. states, in part, that a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, including reasonable safeguards to protect against incidental disclosures. OCR noti?ed VAMC regarding the complaint ?led by Complainant on November 7, 2012. This noti?cation was initial with the covered entity about the complaint, and it describes the act(s) andfor omission(s) that are the basis of the complaint. In response to notification, Andrea Wilson submitted a response on behalf of VAMC on November 28, 2012. investigation included a review of the covered entity?s pertinent policies and procedures, as well as, the covered entity?s investigation into the allegations. Accordingly, OCR reviewed privacy policy. OCR examined submitted policy and found no indication of noncompliance with the HIPAA Privacy Rules. OCR also reviewed response to the allegations and internal investigation documentation. In its response, VAMC admits that Comlainant?s PHI was inappropriately accessed by VAMC employees, and tho are responsible for reviewing and certifying that Lexington VA Police Officers are quali?ed medically to retain their positions. VA policy requires Occupational Health staff to obtain prior authorization from the Veteranfemployee prior to accessing health information contained in the Veteran?s health records for employment purposes. VAMC reports that upon investigation it was determined that the Occupational Health staffers were unaware of the requirement to obtain an authorization from the Veteranfemployee before accessing any health information from the Computerized patient Record system ((113113), In land libitsubxnt lwere routinely reviewing EKGs and any other pertinent information needed to complete the annual physical examinations on VA Police Of?cers without such authorizations in violation of VA policy and the HIPAA Privacy Rule. In response to the complaint, VAMC provided evidence of the following corrective action measures: 1) the VAMC Privacy Of?cer undertook an investigation into the complaint which included interviews of the Occupational Health staff; 2) a white paper was created and sent to the Chief of Police to distribute to all Police Officers explaining the procedures for access of their records and how staff review 3) Complainant was noti?ed on August 6, 2012 regarding the ?nding that his record was imperrnissibly accessed; 4) on May 23, 2012 the facility Privacy Of?cer provided educational training to the Occupational Health staff to prevent future impermissible disclosures. Based on a review of all pertinent policies and procedures that are deemed compliant with the requirements of the Privacy Rule, and the actions taken by VAMC to voluntarily comply with the Privacy Rule, OCR determines that all matters raised by the complaint, at the time it was ?led, have now been resolved by VAMC. Therefore,,OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. lfyou have any questions, please contact Sonya Hana?, Investigator, at or (404) 562?7376 (Voice), (404) 562-7834 (TDD). Roosevelt eman Regional Manager OCR Region IV Sincerely,