sum-ck

or? 9-1.,
DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY

am
0:1 Tar 

a, Voice - (404} 562-7836, {300) 368-1019
TDD - (404) 552-7384, (300] 
(FAX) (404) 562-?831



Of?ce for Civil Rights, Region IV
61 Street. SW.

Atlanta Federal Center, Suite l6T70
Atlanta, GA 30303-3909

March 5, 2013

 



 

 

 

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

VHA Privacy Implementation Coordinator

Information Access and Privacy Of?ce- 

Department of Veterans Affairs-Veterans Health Administration
810 Vermont Ave, NW

Washington DC 20420

Re: libli?libliilicl lv. Saliis (Bill) Hefner VA Medical Center
OCR Transaction Number: 12-148329

De and Ms. Wilson:

On September 4, 2012, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR) received a complaint from Complainant, alleging that
Salisbury (Bill) Hefner VA Medical Centeris not in compliance with the Federal Standards for
Privacy of Individually Identi?able Health Information andfor the Security Standards for the
Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A,
C, and E, the Privacy and Security Rules), and the Breach Noti?cation Rule Subpart -
Notification in Case of Breach of Unsecured Protected Health Information (4S C.F.R. 
164400464414).

 

I Complainant, alleges that Salisbury (Bill) Hefner VA Medical
Center (hereinafter, impermissiny used the protected health information of
Complainant when on August 16, 2012, a VAMC employee, llblisliblillicl Iaccessed
Complainant?s medical records for purposes outside the scope of his status as patient at VAMC
and without authorization. Complainant further contends that he has never had a doctorfpatient
relationship with which would warrant ccessing Complainant?s records.
These allegations could re?ect violations of 45 C.F.R. 

 

 

and respectively.

Please note 45 C.F.R. 164.502(a) states, in part, that a covered entity may not use or disclose
protected health information, except as permitted by the HIPAA Privacy Rule. Also, 45 CPR.
requires, in part, a covered entity to identify which workforce members require
access to PHI to carry out their duties and to identify which category of PHI is needed, and then
to make reasonable efforts to limit such access based upon such need. Additionally, 45 CPR. 
states, in part, that a covered entity must have in place appropriate administrative,
technical, and physical safeguards to protect the privacy of PHI. 45 C.F.R. states,
in part, that a covered entity must have and apply appropriate sanctions against members of its
workforce who fail to comply with the policies and procedure of the covered entity or the
Privacy Rule. Finally, 45 C.F.R. ?164.530(t) states, in part, that a covered entity must mitigate,
to the extent practicable, any effect that is known to the covered entity of a use or
disclosure of protected health information in violation of its policies and procedures.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil ?ghts laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

OCR noti?ed VAMC of the complaint ?led by Complainant on December 5, 2012. This
noti?cation was initial written communication with the covered entity about the
complaint, and it describes the act(s) andt'or omission(s) that are the basis of the complaint. In
response to noti?cation, Andrea Wilson, Privacy Implementation Coordinator, submitted
a response of behalf of VAMC on January 11, 2013. Upon review of response, OCR
requested additional data from VAMC on February 20, 2013. VAMC provided the requested
information on February 25, 2013.

investigation included a review of the covered entity?s pertinent policies and procedures,
as well as, the covered entity?s investigation into the allegations and HIPAA training
documentation. Accordingly, OCR examined all of VAMC submitted policies and procedures
and found no indication of noncompliance with the HIPAA Privacy Rules. VAMC also
provided sufficient evidence that it trains its workforce on HIPAA.

OCR also reviewed VAMC response. In its response, VAMC reported that it undertook an
investigation upon noti?cation by Complainant and by OCR and corroborates the allegations.
VAMC reports that on August 30, 2012, Com lainant requested a Sensitive Patient Access
Report (SPAR), which veri?ed that General Surgeon, has accessed Complainant?s
medical record on November 2, 2007 and August 16, 2012. was interview by the
facility Privacy Of?cer on August 29, 2012. In the interview, {bll?libllim stated that he did not
have authorization to access records pertaining to Complainant and he was ?checking the age for
deployment.? acknowledged that such access was inappropriate and indicated that
he would apologize to Complainant. In response to the incident, was given a written
reprimand, to remain in his employment ?le for up to three years.

 

Based on a review of the evidence, OCR determined that VAMC is in violation of the Privacy
Rule for the impermissible disclosure of PHI by its workforce member, Nevertheless, VAMC
has provided OCR with evidence that is appropriately sanctioned the responsible workforce
member, Therefore, upon review of all pertinent policies and procedures that are deemed
compliant with the requirements of the Privacy Rule, and the voluntarily corrective action
measures undertaken by the covered entity to comply with the Rule, OCR determines that all
matters raised by the complaint, at the time it was ?led, have now been resolved through the
voluntary compliance actions of VAMC. Thus, OCR is closing this case. determination
as stated in this letter applies only to the allegations in this complaint that were reviewed by
OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Sonya Hanafi, Investigator, at son a.hana? hhs. ov,
(404) 5623876 (Voice), or (404) 56241884 (TDD).

 

Regional Manager
OCR Region IV