ill-WC
is.?

OFFICE OF THE SECRETARY

Of?ce for Civil Rights, Region 
6] Forsth Street. SW.

Atlanta Federal Center, Suite 16T70
Atlanta, GA 30303-8909

DEPARTMENT OF HEALTH 8: HUMAN SERVICES

Voice - (404} 562-?336, (300} 368-1019
TDD - {40-1} 562-?334. (300}53?w769?
(FAX) {404) 562-?331


April 28, 2014

 



 

 

 

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

VHA Privacy Implementation Coordinator

Information Access and Privacy Of?ce? 10P2C1

Department of Veterans Affairs-Veterans Health Administration
810 Vermont Ave, NW

Washington DC 20420

{bumbling v. Carl Vinson VAMC
OCR Reference Number: 12-13850?

Dear and Ms. Wilson:

On February 2, 2012, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR) received a complaint from Complainant, alleging
that the Carl 1Vinson VA Medical Center (VAMC) is not in compliance with the Federal
Standards for Privacy of Individually Identi?able Health Information andfor the Security
Standards for the Protection of Electronic Protected Health Information (45 Parts 160 and
164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Noti?cation Rule
Subpart - Noti?cation in Case of Breach of Unsecured Protected Health Information 
(45 C.F.R. 164400464414);

Re:

Speci?cally, Complainant alleges that the VAMC impermissiny used her PHI when beginning
in 2005 and continuing through 2011, various emnlovees of the VAMC who were not 
in Complainant?s care, including (bliaiibmici 
accessed her PHI without authorization. This allegation could re?ect a potential violations of 45
OF .R and and 

 

 

 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

 

OCR Transaction 12-13850? Page 2 of 3

Please note that 45 CPR. l64.502(a) states, in part, that a covered entity may not use or
disclose protected health information, except as permitted by the HIPAA Privacy Rule. Also, 45
C.F.R. and (2) state that a covered entity must identify the persons in its
workforce who need access to PHI to carry out their duties and the categories of PHI to which
access is needed, and then make reasonable efforts to limit the access of such persons to the
categories of PHI as minimally necessary. Additionally, 45 CPR states, in
part, that a covered entity must have in place appropriate administrative, technical, and physical
safeguards to protect the privacy of PHI, including reasonable safeguards to protect against
incidental disclosures. Finally, 45 C.F.R. states, in part, that a covered entity must
have and apply appropriate sanctions against members of its workforce who fail to comply with
the policies and procedure of the covered entity or the Privacy Rule.

OCR noti?ed VAMC of the complaint ?led by Complainant on November 5, 2013. hr response
to the allegations, VAMC reported that it initially received a request for a Sensitive Patient
Access Report (SPAR) from Complainant on June 13, 2011, which it provided to Complainant.
Subsequently, VAMC opened an investigation, per Complainants request, into the potential
impermissible accesses by the above named workforce members. However, the Acting Privacy
Of?cer was unable to locate the investigation ?les or the response back to Complainant, as the
previous Privacy Of?cer had retired. Thus, on December 27, 2013, VAMC reopened an
investigation in response to noti?cation.

investigation included a review of response to the allegations, as well as a
review of its pertinent policies and procedures. In its response, VAMC stated that 
accesses to Complainant?s medical records were consistent with his job duties, speci?cally, entry
of laboratory results. Additionally,  access of Com lainant?s records was also
determined to be treatment related. VAMC could not verify that {bll?ilibllim Iaccess to
Complainant?s records was related to his job duties; however, is no longer employed
by the VAMC. Thus, further investigation andr'or sanctions against him were not feasible.
VAMC noti?ed Complainant of its ?nding on February 4, 2013. The VAMC also provided
evidence that all VA employees were provided annual privacy and security training.

 



OCR determined that all matters raised by the complaint, at the time it was ?led, have now been
resolved through the voluntary compliance actions of VAMC. Therefore, OCR is closing this
case. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. hr the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

 

OCR Transaction 12-138507 Page 3 of 3

If you have any questions, please contact Sonya Hana?, Investigator, (404} 562-7876 (Voice) or
(404) 562-7384 (TDD).

Sincerely,
f?

CM

Timothy Noonan
Regional Manager
Of?ce for Civil Rights