N?mm?e DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY
ii? Voice {312) 33152359 Of?ce for Civil Rights, Region 
i Too - {312} 353?5593 233 N. Michigan Ave, Suite 249
is - (312;. 336-180? Chicago, EL 6060]
Mm 
November 22, 2011
Andrea Wilson

VHA Privacy Implementation Coordinator
Privacy Of?ce 

DI Central Of?ce

810 Vermont Avenue, NW

Washington, DC 20420

Re: Ann Arbor VA Healthcare System (Breach Report}
OCR Transaction Number: 11?122424 

Dear Ms. Wilson:

On December 16, 2010, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), Region received three Breach Reports ?led by Ann Arbor VA. Healthcare
System (Ann Arbor]. These Breach Reports indicated that Ann Arbor may not be in compliance
with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the
Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts
160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the ?rst
Breach Report stated that, on January 26, 2010, Ann Arbor employees had created an
unauthorized video of intendews of two patients and placed the videos on a thumb drive. The
second Breach Report stated that, on April 21, 2010, Ann Arbor discovered electronic protected
health information (EPHI) on a website used by Ann Arbor to create label templates. The final
Breach Report stated that on, April 22, 2010, Ann Arbor discovered EPHI on an 
compact disc in an Ann Arbor employees work room. These Breach Reports could re?ect
violations of 45 CPR. 
and. 

OCR enforces the Privacy and Security Rules, and the Breach Noti?cation Rule, and also
enforces Federal civil rights laws which prohibit discrimination in the delivery of health and
human services because of race, color, national origin, disability, age, and under certain
circumstances, sex and religion.

OCR has reviewed the matter raised in the complaint. On March 18, 2011, OCR noti?ed Ann
Arbor of this complaint. On May 11, 2011, Ann Arbor provided a written response to OCR.
OCR subsequently reviewed additional responses and documentation from Ann Arbor. Based on
our review of the facts and circumstances of this matter, Ann Arbor had controls in place that
responded appropriately to these incidents. OCR has determined that all of the issues raised in

this matter at the time it was ?led have now been resolved by the voluntary compliance actions
of Ann Arbor.

 

 

Page 2

The Privacy Rule mandates that covered entities only use or disclose protected health
information (PHI) as permitted or required by the Privacy Rule. SE 45 C.F.R. The
Privacy Rule also requires a covered entity to have in place appropriate administrative, technical,
and physical safeguards to protect the privacy of PHI, including reasonable Safeguards to protect
against any intentional or unintentional disclosure in violation of the Privacy Rule. 53.3; 45
CPR. 

The Security Rule requires covered entities to conduct an accurate and thorough assessment of
the potential risks and vulnerabilities to the con?dentiality, integrity, and availability of EPHI
held by the covered entity. 45 C.F.R. Covered entities must also
implement security measures suf?cient to reduce risks and vulnerabilities to a reasonable and
appropriate level and mu st apply appropriate sanctions against workforce members who fail to
comply with the security policies and procedures of the covered entity. 45 C.F.R. 
and (C). Additionally, covered entities must implement a security
awareness and training program for all members of its workforce (including management) and
must identify and respond to suspected or known security incidents; mitigate, to the extent
practicable, harmful af?icts of security incidents that are known to the covered entity; and
document security incidents and their outcomes. 45 C.F.R. and
A covered entity must also implement policies and procedures that govern the
receipt and removal of hardware and electronic media that contain EPHI, into and out of a
facility, and the movement of these items within the facility and must implement a mechanism to
and 45 C.F-R. and 

The complaint arises from three Breach Reports submitted by Ann Arbor. The incident of
January 26, 2010, involved the unauthorized video recording and interview of two A patients,
with a copy of the resulting video having been placed on a thumb drive. The incident of April
21, 2010, involved the discovery of EPHI on a website used by an Ann Arbor employee to create
label templates. The incident of April 22, 2010, involved the discovery of liiPI-Il on an
compact disc in the Ann Arbor employee?s work room.

In its ?rst response, Ann Arbor provided evidence of its internal incident response and corrective
actions taken as a result of the incidents. Ann Arbor reported that in the incident of the
unauthorized video, two students and a workforce member obtained verbal consent from the two
patients to interview and video tape them for a school project. Ann Arbor stated that there are
established VA requirements and forms for authorization and use of video recording which was
not previously obtained.

Ann Arbor reported that, in the second incident, a physician had created a website within the
gateway network that contained an image of a patient in Ann Arbor?s facility. Upon
inspection, it was determined that the image could be zoomed in on content within the image to
identify the patient?s name and social security number. Ann Arbor investigated and
recommended the website be shutdown to fully determine whether any other EPHI was visible.
As a result, the image was removed from the website and the physician responsible was provided
additional training on safeguarding EPI-II. We note that, although the irnage was not provided

 

Page 3

for review, because the information was visible to a casual observer it is likely that neither
privacy screens nor other rneans of workstation security were implemented.

Ann Arbor also reported that in the third incident, the Information Security Of?cer discovered an
and non-password-protected CD in its employee work room that contained the
of one of its patients. It is unclear whether the CD was in a position to have been obtained
or accessed by any non-Ann Arbor workforce members. Ann Arbor reported that the physician
responsible for leaving the unsecured and unprotected CD received additional training on
protecting and safeguarding EPHI.

Although Ann Arbor provided written assurances of the corrective actions taken and the
individual incidents appear to be limited in scope and corrected quickly, speci?c policies and
procedures were not provided supporting Ann Arbor?s requirements. Speci?cally, Ann Arbor
did not provide a copy of its policy and procedures for creating, and password-
protecting portable media that contain EPHI. Additionally, Ann Arbor did not provide evidence
of having performed both technical and nontechnical evaluations of the physician?s website to
determine satisfactory assurances of having safeguarded the informational content therein.

Ann Arbor?s second response provided additional evidence in support of corrective actions it
took as a result of the reported incidents. Ann Arbor provided copies of its information security
policy and again noted tluat the physician involved with the creation of the internal website acted
independently and without permission against established policies. As a result, Ann Arbor stated
that it was unable to perform evaluations of the webpage since it was unapproved and only
became aware of it as a result of the complaints that were ?led.

Ann Arbor also provided copies of invoices as evidence of privacy ?lters it implemented on its
workstations to prevent unauthorized viewing of EPHI. Ann Arbor additionally provided a copy
of its removable storage media policy. The policy clearly requires appropriate safeguards to be
implemented before any removable media is used by workforce members. Procedures were aiso
included which detail Ann Arbor?s requirements for workforce members to adequate ly safeguard
the media, which appears to have not been adhered to with the incident of the and
non-password-protected CD that was discovered.

Although initially unrelated, Ann Arbor appears to have addressed the separate incidents
accordingly. We acknowledge that two separate workforce members likely acted independently
and against established policies and procedures in the creation of unapproved websites and in the
creation of unprotected portable media.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR. -

linder the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es

 

 

Page 4

individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Seth Wainer, Investigator, at
(312) 386-589? (Voice) or (312) 353?5693 (TDD).

Sincerely,



,1 ,j?/ga

Celeste H. Davis
Acting Regional Manager