a?

Hill.




23%
h?d'icl

ill?:
hibe-

OFFICE OF THE SECRETARY

Of?ce for Civil Rights, Region IV
61 Street, SW.

Atlanta Federal Center, Suite 16TH)

Atlanta, GA 30303-8909

DEPARTMENT OF HEALTH 3.: HUMAN SERVICES

Voice - (404} 562-?336, [3043} 363-1019
TDD - (404} 562-17364. 
{404) 562-3381

n?g'gg??hhsgova?og?

April 2014

 

 



 

 

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

VI-LA Privacy Implementation Coordinator

Information Access and Privacy Of?ce- 

Department of Veterans Affairs-Veterans Health Administration
810 Vermont Ave, NW

Washington, DC 20420

 

 

 

Re: {bllm?ibm?cl v- Orlando VAMC
OCR Reference Number: 12-14991?
Dear {Nimbmm and Ms. Wilson:

 

 

 

On September 24, 2012, the US. Department of Health and Human Services (HHS), O?ice for
Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for
Privacy of Individually Identi?able Health Information andfor the Security Standards for the
Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A,
C, and E, the Privacy and Security Rules), and the Breach Noti?cation Rule Subpart -
Noti?cation in Case of Breach of Unsecured Protected Health Information (45 C.F.R. 
164400464414).

 

Speci?cally, limimibmm I Complainant, alleges that
visit to the VAMC where he was also employed, his physici
impermissiny disclosed the results of his lab tests to Compl
employees of the VAMC who were not involved in his care
Complainant further alleges that the lab test resu
physicals, but were rather a personal doctor?
violations of 45 C.F.R 164.5

on August 28, 2012, following his
an, I
ainant?s supervisor and other
without his authorization.

were not related to any occupational health
3 visit. This allegation could re?ect a potential
14(d)(1) and and 

OCR enforces the Privacy and Security Rules, and also enforces Federal
prohibit discrimination in the delivery of health and human services bec
national origin, disability, age, and under certain circumstances,

civil rights laws which
ause of race, color,
sex and religion.

 

OCR Complaint it 12-14991? Page 2 of 2

Under the Privacy Rule, a covered entity may not use or disclose PHI, except as permitted or
required by the Privacy Rule. See 45 CPR. Also, 45 CPR. and
require a covered entity to identify the persons or classes of persons in its workforce who
need access to PHI and to make reasonable efforts to limit access of such persons to the category
of PHI to which access is needed. Covered entities must also have in place administrative,
technical, and physical safeguards to protect the privacy of PHI. See 45 CPR. ?164.530(c) (1).
Covered entities must have and apply appropriate sanctions against members of its workforce
who fail to comply with the privacy policies and procedures; must mitigate, to the extent
practicable, any harmful effect that is known to the covered entity of a use or disclosure of 
and must not retaliate against any individual who ?les a complaint regarding violation of such
Privacy Rule requirements. See 45 CPR. 

On October 29, 2013, OCR provided notice to and requested data from VAMC. In response to
the allegations, VAMC confirmed that had impermissiny disclosed Complainant?s
PHI to Complainant?s supervisor without authorization. On September 5, 2012, the VAMC
Privacy Of?cer opened an investigation into the incident uon noti?cation by the supervisor via
an EmployeetLabor relations representative. stated that she incorrectly believed
that if an employee was impaired, noti?cation to the supervisor was warranted. The Privacy
Of?cer subsequently provided notice to Complainant on September 13, 2012. On September 20,
2012, Complainant, unaware that the VAMC had already investigated the incident, submitted a

complaint to the Privacy Of?cer. The VAMC formally responded to Complainant?s complaint on
October 10, 2012.

The VAMC provided OCR with evidence of the following corrective action measures: the
responsible workforce was disciplined for this incident and provided
training on the application of the Privacy Rule to patients who are also employees of the VAMC.
As part of this review, OCR obtained VAMC policies, procedures, and documents related to the
aforementioned provisions. Based on VAMC response, we have determined that no further OCR
action is required. Therefore, OCR is closing this case. determination as stated in this
letter applies only to the allegations in this complaint that were reviewed by OCR.

 

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Sonya Hana? at (404) 562-7865 (Voice) or (404) 562-
17884 (TDD).

Sincerely,



Timothy Noonan
Regional Manager
Of?ce for Civil Rights