DEPARTMENT or HEALTH HUMAN saRvICEs DEFICE OF THE SECRETARY
an [80013684019 Office for Civil Rights, Region IV
?Wm TDD - (404) 562-?884. [800) 53?-?697 til Street, SW.
(404) 5624381 Atlanta Federal Center, Suite 16T'i'0
Atlanta, GA 30303?8909
January 31, 2013

 



 

 

 

Ms. Andrea Wilson, CIPPIG, Privacy Implementation Coordinator
VHA Privacy Of?ce

Veteran?s Health Administration

Department of Veterans Affairs

810 Vermont Ave, NW. (10P2C1) 
Washington, D.C. 20420 

 



 

Re: vs. Carl Vinson VA Medical Center 
OCR Transaction Number: 12-14265 5
Dear and MS. Wilson:

 

 

 

On May 2, 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR) received a complaint from libiielxibimlci  Complainant, ialleging that Carl
Vinson VA Medical Center is not in compliance with the Federal Standardsi fer Privacy of
Individually Identi?able Health Information anon the Security Standards for the Protection of
Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the
Privacy and Security Rules), and the Breach Notification Rule Subpart - likloti?cation in Case
of Breach of Unsecured Protected Health Information (45 C.F.R. 

 

 

Speci?cally, Complainant alleges that Carl Vinson VA Medical Center (hereinafter, 
impermissiny used the protected health information of Complainant when on various
dates from 2008, through 2012, VAMC employees, and [(131451 I
accessed Complainant's medical records for purposes outside thc'scope of his status as
a patient at VAMC. These allegations could re?ect violations of 45 CPR. 
164.528, and 164.5306), respectively.

 

 

45 CPR. 164.502(a) states, in part, that a covered entity may not use or disclose protected
health information, except as permitted by the Privacy Rule. Also, 45 C.F.R.

 

states that a covered entity must identity the persons in its workforce who need
access to PHI to carry out their duties and the categories of PHI to which access is needed, and
then make reasonable efforts to limit the access of such person to the categdries of PHI as
minimally necessary. 45 C.F.R. 164.528 provides individuals with a right to receive and
accounting of disclosures of PHI made by the covered entity. Additionally, 45 C.F.R. 
states, in part, that a covered entity must have in place appropriate administrative,
technical, and physical safeguards to protect the privacy of PHI, including reasonable safeguards
to protect against incidental disclosures.

 


Moreover, 45 CPR. states, in part, that a covered entity musi have and apply
appropriate sanctions against members of its workforce who fail to comply ivith the policies and
procedure of the covered entity or the Privacy Rule. Finally, 45 C.F.R. ?16i4.530(f) states, in
part, that a covered entity must mitigate, to the extent practicable, any harmful effect that is
known to the covered entity of a use or disclosure of protected health information in violation of

its policies and procedures.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.
OCR noti?ed VAMC of the complaint ?led by Complainant on September 121 2012. This
noti?cation was initial written communication with the covered enti about the
complaint, and it describes the act(s) andfor omission(s) that are the basis all the complaint. In
response to notification Andrea Wilson, Privacy [rnplementation Cobrdinator, submitted
a response of behalf of VAMC on November 30, 2012. 
investigation included a review of the covered entity?s pertinent poliizies and procedures,
as well as, the covered entity?s investigation into the allegations and training
documentation. Accordingly, OCR examined all of VAMC submitted policies and procedures
and found no indication of noncompliance with the HIPAA Privacy Rule.  also provided
sufficient evidence that is trains its employees of the Privacy Rule. 
OCR also reviewed VAMC response. In its response, VAMC reported that it undertook an
investigation prior noti?cation by OCR and corroborates the allegations. VAMC reported that
on March 8, 2012 Complainant requested an accounting of disclosures via ai?Sensitive Patient
Access Report (SPAR), and noted that access by eight VAMC employees wias suspicious.
undertook an investigation into the eight employees? access of Complainant?s records
and determined that three had accessed Com lainants records impennissibly. VAMC reports

I liflicl 

 

that on July 6 2012 liblimxiblmm land {blislib were suspended without pay and on
September 12, 2012 was suspended without pay in response to their

 

impermissible use of Complainant?s medical record. Additionally, VAMC provided evidence
that all three employees were retrained on the Privacy Rule on November 23, 2012. VAMC also
provided evidence that they offered Complainant free credit services as a result of the incident.

 

Upon review of all pertinent policies and procedures that are deemed compliant with the
requirements of the Privacy Rule, and the voluntarily compliance with the Privacy Rule, OCR
determines that all matters raised by the complaint, at the time it was ?led, have now been
resolved through the voluntary compliance actions of VAMC. Therefore, OCR is closing this
case. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR. 

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted bylaw, to protect information that identifies individuals
or that, if released, could constitute a clearly unwarranted invasion of persmilal privacy.


If you have any questions, please contact Sonya Hana?, Investigator, at 
(404) 562-7876 (Voice), or (404) 562-?884 (TDD). 

Sincerely,

Roosevelt Freeman
Regional Manager
OCR Region IV