$3
a


a:

5
'15

?51.

slum:
gun! is.?

 

DEPARTMENT OF HEALTH HUMAN SERVICES
Voice - {404) 56237836, {800] 363-1019

TDD {404] 562-?384. {800) 53?-769?

{404) 5623881



OFFICE OF THE SECRETARY



Office for Civil Rights, Region IV
61 Street, SW.

Atlanta Federal Center, Suite 16T70

Atlanta, GA 30303-8909

April 11, 2013

 

 



 

 

{bit?libitiltcl

Ms. Andrea Wilson, RHIA, CEPP, CIPPIG

VHA Privacy Implementation Coordinator

Information Access and Privacy Of?ce- 10P2CI

Department of Veterans Affairs-Veterans Health Administration
310 Vermont Ave, NW

Washington DC 20420

 

 

 

Re: Immimm? Ivs. VAMC Lexington
OCR Reference Number: 12-14433?
Dear and Ms. Wilson:

 

 

 

On June 11, 2012, the US. Department of Health and Human Services (HHS), Office for Civil
Rights (OCR) received a complaint from 0451039310) Complainant, alleging that the
Lexington VA Medical Center is not in Jmpuance With the ederal Standards for Privacy of
Individually Identi?able Health Information andfor the Security Standards for the Protection of
Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the
Privacy and Security Rules), and the Breach Noti?cation Rule Subpart - Noti?cation in Case
of Breach of Unsecured Protected Health Information (45 CPR, 

 

 

 

 

Speci?cally, Complainant alleges that the Lexington VA Medical Center (hereinafter,
where he is employed as a police of?cer, impermissiny accessed his PHI beyond the
minimum necessary, when in December 2010 and January 2011 and ARPN

cessed Complainant?s Veterans Health Record, which is outside the scope of the
Complainant?s employee physicai, without his authorization. Speci?cally, Complainant
indicates that the individuals accessed Complainant?s lab report from  of Sleep
Lab impermissibly. These allegations could re?ect violations of 45 CPR. 
164.53 and 164.53 respectively.

com - laint and corroborated the allegations. VAMC reports that both
?(bli?llbl 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

Please note that 45 CPR. 164.502(a) states, in part, that a covered entity may not use or
disclose protected health information, except as permitted by the HIPAA Privacy Rule. Also, 45
C.F.R. states that a covered entity must identity the persons in its workforce who
need access to PHI to carry out their duties and the categories of PHI to which access is needed,
and then make reasonable efforts to limit the access of such person to the categories of PHI as
minimally necessary. Additionally, 45 C.F.R. 164.5 30(c)(1) states, in part, that a covered
entity must have in place appropriate administrative, technical, and physical safeguards to protect
the privacy of PHI, including reasonable safeguards to protect against incidental disclosures.

Moreover, 45 C.F.R. states, in part, that a covered entity must have and apply
appropriate sanctions against members of its workforce who fail to comply with the policies and
procedure of the covered entity or the Privacy Rule. Finally, 45 CPR. ?164.530(t) states, in
part, that a covered entity must mitigate, to the extent practicable, any harm?il effect that is
known to the covered entity of a use or disclosure of protected health information in violation of
its policies and procedures.

OCR noti?ed VAMC of the complaint ?led by Complainant on December 13, 2012. This
noti?cation was initial written communication with the covered entity about the
complaint, and it describes the act(s) andfor omission(s) that are the basis of the complaint. In
response to notification, Andrea Wilson, Privacy Implementation Coordinator, submitted
a response of behalf of VAMC on January 23, 2013. OCR requested additional information on
February 22, 2013, which VAMC provided on February 28, 2013. However, an identi?cation
error at the VAMC delayed investigation. The correct investigatory report was provided
to OCR by the VAMC on April 9, 2013.

investigation included a review of the covered entity?s pertinent policies and procedures,
as well as the covered entity?s HIPAA training documentation. Accordingly, OCR reviewed the
covered entity?s access policies and procedures. Upon review of policies and
procedures, OCR found no indication of noncompliance with the Privacy Rules. VAMC also
provided sufficient evidence of training for all workforce members on HIPAA policies.

OCR also reviewed response. In its response, VAMC indicates that it investigated the
and ARNP

cessed Complainant?s PHI during 2010 and 2011. VAMC ?irther reports that
interviews with both Occupational Health staff members indicates that neither were aware of the
requirement to obtain an authorization ?om the Veteranfemployee prior to accessing health
information from CPRS. On March 11, 2013, VAMC noti?ed Complainant regarding the
impermissible use. On May 23, 202 the facility Privacy Of?cer provided educational training to
the Occupational Health staff. Additionally, a reminder email was sent to both and
ARNP 11 March 13, 2013 verifying the current process to obtain an authorization prior to
any CPRS access and both staff members confn'med the process was being followed.

Based on a review of the evidence, OCR determines that VAMC is in violation of the Privacy
Rule. However, upon review of all pertinent policies and procedures that are deemed compliant
with the requirements of the Privacy Rule, and the corrective action measure undertaken to
ensure voluntary compliance with the Privacy Rule, OCR determines that all matters raised by
the complaint, at the time it was ?led, have now been resolved through the voluntary compliance
actions of VAMC. Therefore, OCR is closing this case. determination as stated in this
letter applies only to the allegations in this complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

3'

If you have any questions, please contact Sonya Hana?, Investigator, at 
(404) 562-7876 (Voice), or (404) 562-7884 (TDD).

Sincerely,

Roosevelt eeman
Regional Manager
OCR Region IV