DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY

 

Voice - {404} (300} 363-1019 Of?ce for Civil Rights, Region IV
TDD - {404) 5624884, (300} 6] Forsth Street, S.W.
(FAX) {404) 562-?331 Atlanta Federal Center, Suite l?T'i'O
Atlanta, GA 30303-8909
March 5, 2013

 



 

 

 

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

VHA Privacy Implementation Coordinator

Information Access and Privacy Of?ce- 10P2C1

Department of 1Veterans Affairs-Veterans Health Administration
310 Vermont Ave, NW

Washington DC 20420

Re: {mimibimim 5. West Palm Beach VA Medical Center
OCR Reference Number: 12-145635

Dear and Ms. Wilson:

011 July 5, 2012, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR) received a complaint from Complainant, alleging that West Palm
Beach VA Medical Center is not in compliance with the Federal Standards for Privacy of
Individually Identi?able Health Information andfor the Security Standards for the Protection of
Electronic Protected Health Information (45 CPR. Parts 160 and 164, Suhparts A, C, and E, the
Privacy and Security Rules), and the Breach Noti?cation Rule Subpart - Noti?cation in Case
of Breach of Unsecured Protected Health Information (45 C.F.R. 

Speci?cally, Complainant, alleges that West Palm Beach VA Medical Center
(hereinafter, where Complainant is employed, impermissihly disclosed
Complainant?s protected health information when on March 25, 2012, a fellow

mlo cc of VAMC, sent a text message to a co-worker,W
Wregarding Complainant?s admission to the hospital, including information regarding
the nature of her visit and her treatment, although neither were involved in Complainant?s care or
were authorized by Complainant to do so. Furthermore, Complainant alleges that requested an
accounting of disclosures regarding her hospital records, but has yet to receive the report. These

 

 

 

allegations re?ect potential violations of 45 CPR 164.528(a) and 
and and 164.5300}, respectively.

Please note 45 C.F.R. 164.502(a) states that a covered entity may not use or disclose protected
health information, except as permitted or required by the HIPAA Privacy Rule. Also, 45 C.F.R.
?164.528(a) and state that an individual has a right to obtain and accounting of disclosures of
PHI made by a covered entity in the six years prior to the date on which the accounting is
requesting, and the accounting must be provided in writing and contain certain elements.
Additionally, 45 C.F.R states, in part, that a covered entity must have in place
appropriate administrative, technical, and physical safeguards to protect the privacy of PHI,
including reasonable safeguards to protect against incidental disclosures.

Moreover, and require a covered entity to provide a process for individuals
to make complaints concerning a covered entity?s policies and procedures or its compliance with
such policies and procedures and document all complaints received and their disposition. 45
CPR. ?164.5 30(e)(1) states that a covered entity must have and apply sanctions against
workforce members who fail to comply with its policies and procedures. Finally, 45 CPR.
?164.530(f) requires a covered entity to mitigate, to the extent practicable, any harm?il effect
that is known to the covered entity of a use or disclosure of PHI in violation of its policies and
procedures.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

OCR noti?ed VAMC of the complaint ?led by Complainant on November 14, 2012. This
noti?cation was initial written communication with the covered entity about the
complaint, and it describes the act(s) andfor omission(s) that are the basis of the complaint. In
response to noti?cation, Andrea Wilson, Privacy Implementation Coordinator, submitted
a response of behalf of VAMC on December 18, 2012. Upon review of response,
OCR requested additional data from VAMC on February 3, 2013. VAMC provided the
requested information on February 26, 2013.

investigation included a review of the covered entity?s pertinent policies and procedures,
as well as, the covered entity?s investigation into the allegations and HIPAA training
documentation. Accordingly, OCR examined all of VAMC submitted policies and procedures
and found no indication of noncompliance with the HIPAA Privacy Rules. VAMC also
provided suf?cient evidence that it trains its workforce on HIPAA.

OCR also reviewed VAMC response. In its response, VAMC reported that it undertook an
investigation upon noti?cation by Complainant and by OCR and corroborates the allegations.
VAMC provided evidence that it opened an internal investigation into the incident on March 
2012, at which time the Privacy Of?cer met with Complainant to address the issues. As a result
of the investigation, VAMC provided Complainant with a Sensitive Patient Access Report
(SPAR), which was mailed to her on April 30, 2012. VAMC corroborates Complainant?s

 

 

allegations that a Nursing Assistant, Idisclosed Complainant?s PHI to

another Nursing Assistant, 1 via text message. In response to the incident,
the responsible workforce member received a three day suspension and the event was reported as
a HITECH breach on May 7, 2012. However, VAMC contends that Complainant was provided
with an accounting of disclosures in the form of a SPAR report, and VAMC provided evidence
that the documentation was sent on April 30, 2012.

 

Based on a review of the evidence, OCR determined that VAMC is in violation of the Privacy
Rule for the impermissible disclosure of PHI by its workforce member. Nevertheless, VAMC
has provided OCR with evidence that is appropriately sanctioned the responsible workforce
member. Therefore, upon review of all pertinent policies and procedures that are deemed
compliant with the requirements of the Privacy Rule, and the voluntarily corrective action
measures undertaken by the covered entity to comply with the Rule, OCR determines that all
matters raised by the complaint, at the time it was ?led, have now been resolved through the
voluntary compliance actions of VAMC. Thus, OCR is closing this case. determination
as stated in this letter applies only to the allegations in this complaint that were reviewed by
OCR.

Under the Freedom of Information Act, we may be required to release this letter and other

information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identifies individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Sonya Hana?, Investigator, at 
(404) 562-7826 (Voice), or (404) 562-7884 (TDD).

Sincerely,

 
   

oosevelt eeman
Regional Manager
OCR Region IV