'52- 01 ?nu-"q Mme. {him OFFICE OF THE SECRETARY Of?ce for Civil Rights, Region 233 N. Michigan Ave, Suite 240 Chicago, IL 60601 DEPARTMENT OF HEALTH HUMAN SERVICES Voice . {312) ass-2359 TDD -1312}353-5esa April 14, 2011 Andrea Wilson, RHLA, CIPP, CIPPIG Privacy Implementation Coordinator VHA Information Access Privacy Of?ce (19F2) Department of Veterans Affairs 810 Vermont Ave, NW. Washington, DC 20420 VA Ann Arbor Healthcare System 1 Breach Report! OCR Transaction 1-122466 Re: Dear Ms. Wilson: On December 16, 2010, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), Region received a breach report required by 45 C.F.R. 164.408, from VA Ann Arbor Healthcare System (Ann Arbor}. Based on this breach report, OCR investigated whether Ann Arbor is in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Noti?cation for Unsecured Protected Health Information Regulations (45 C.F.R. Parts 160 and 164, Subpart D, the Breach Noti?cation Rule). Speci?cally, the Breach Report states that, on June 14, 2010, a third party employee informed Arm Arbor that another employee left a notebook containing the protected health information (PHI) of 26 individuals on a public bus. This allegation could re?ect violations of 45 CPR. 16453003), and OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. OCR has reviewed the matter raised in the complaint. On February 9, 2011, OCR noti?ed Ann Arbor of this complaint. On March 15, 2001, Ann Arbor provided a written response to OCR, along with supporting documents. OCR subsequently received an additional response and information from Ann Arbor. Based on our review of the facts and circumstances of this matter, we have determined that all of the issues raised in this matter at the time it was ?led have now been resolved by the voluntary compliance actions of Ann Arbor- Ann Arbor reported that, on June 14, 2010, it was noti?ed that a notebook containing the PHI of 26 Ann Arbor patients was found on a public bus. Ann Arbor located the employee responsible for the notebook and con?nned that, on June 14, 2010, she had taken the PHI out of the facility and le? it on the bus. On June 21, 2010, Ann Arbor sanctioned this employee. Subsequently, on June 23, 2010, Ann Arbor noti?ed and apologized to the 26 affected patients about the breach. Page 2 The Privacy Rule mandates that a covered entity may not use or disclose PHI, except as permitted or required by the Privacy Rule. ?e_e 45 CPR. 164.502. The Privacy Rule also requires a covered entity to protect PHI from impermissible uses and disclosure by implementing reasonable safeguards. 4S C.F.R- Additionally, a covered entity is required to train its workforce members on policies and procedures adopted by the covered entity to protect PHI, have and apply appropriate sanctions for employees who fail to comply with such policies and procedures, and mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures. ?e_e 45 C.F.R. and Ann Arbor provided evidence that, on March 29, 2010, after receiving the National Veteran?s Health Administration Privacy Policy Awareness and Cyber Security Training, the responsible employee signed a statement indicating that she acknowledged and accepted the Department of Veteran Affairs National Rules of Behavior. Section 2.1? of the Rules of Behavior States, will obtain my VA supervisor?s authorization, in writing, prior to transporting, transmitting, accessing, and using VA sensitive information outside of protected environment.? Ann Arbor provided further evidence that it has policies and procedures related to sanctioning employees for impermissible disclosures and for mitigating the harmful effects of disclosures. Therefore, the actions of Ann Arbor generally comport with the requirements of 45 C.F.R. and (D of the Privacy Rule. To resolve the remaining issues raised in this matter, Ann Arbor took the following voluntary actions: 1) Sanctioned the responsible employee and 2] Noti?ed and apologized to the affected individuals. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of information Act, we may be required to release this letter and other information about this case upon request by the public. in the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Seth Wainer, Equal Opportunity Specialist, at (312) 886-5897 (Voice) or [312) 353-5693 (TDD). Sinceme We . Celeste Davis Acting Regional Manager OFFICE OF THE SECRETARY Of?ce for Civil Rights, Region 233 N. Michigan Ave, Suite 240 Chicago, IL 6060] DEPARTMENT OF HEALTH HUMAN SERVICES Voice - {312) ass-2359 Too 431213535593 - (312} ass-130? April 14, 2011 Andrea Wilson, RHIA, CIPP, CIPPIG Privacy Implementation Coordinator VHA Information Access 8: Privacy Of?ce (19F2) Department of Veterans Affairs 310 Vermont Ave, NW. Washington, DC 20420 VA Ann Arbor Healthcare System Breach Kermit) OCR Transaction 11-122466 Re: Dear Ms. Wilson: On December 16, 2010, the US. Department of Health and Human Services (HI-IS), Office fer Civil Rights (OCR), Region received a breach report required by 45 CPR. 164.408, from VA Ann Arbor Healthcare System (Ann Arbor). Based on this breach report, OCR investigated Whether Ann Arbor is in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information anon the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Noti?cation for Unsecured Protected Health Information Regulations (45 C.F.R. Parts 160 and 164, Subpart D, the Breach Noti?cation Rule). Speci?cally, the Breach Report states that, on June 14, 2010, a third party employee informed Ann Arbor that another employee left a notebook containing the protected health information (PHI) of 26 individuals on a public bus. This allegation could re?ect violations of 45 C.F.R. and OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. OCR has reviewed the matter raised in the complaint. On February 9, 2011, OCR noti?ed Ann Arbor of this complaint. On March 15, 2001, Ann Arbor provided a written reSponse to OCR, along with supporting documents. OCR subsequently received an additional response and information from Ann Arbor. Based on our review of the facts and of this matter, we have determined that all of the issues raised in this matter at the time it was ?led have now been resolved by the voluntary compliance actions of Ann Arbor. Ann Arbor reported that, on June 14, 2010, it was noti?ed that a notebook containing the of 26 Ann Arbor patients was found on a public bus. Ann Arbor located the employee responsible for the notebook and con?rmed that, on June 14, 2010, she had taken the out of the facility and left it on the bus. On June 21, 2010, Ann Arbor sanctioned this employee. Subsequently, on June 23, 2010, Ann Arbor noti?ed and apologized to the 26 affected patients about the breach- Page 2 The Privacy Rule mandates that a covered entity may not use or disclose PHI, except as permitted or required by the Privacy Rule. 45 C.F.R. 164.502. The Privacy Rule also requires a covered entity to protect PHI from impermissible uses and disclosure by implementing reasonable safeguards. 45 C.F.R. Additionally, a covered entity is required to train its workforce members on policies and procedures adopted by the covered entity to protect PHI, have and apply appropriate sanctions for employees who fail to comply with such policies and procedures, and mitigate, to the extent practicable, any harm?rl effect that is known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures. 45 CPR. 16453000), and Ann Arbor provided evidence that, on March 29, 2010, a?er receiving the National Veteran?s Health Administration Privacy Policy Awareness and Cyber Security Training, the responsible employee signed a statement indicating that she acknowledged and accepted the Department of Veteran Affairs National Rules of Behavior. Section 2.3 of the Rules of Behavior States, will obtain my VA supervisor?s authorization, in writing, prior to transporting, transmitting, accessing, and using VA sensitive information outside of protected environment.? Arm Arbor provided further evidence that it has policies and procedures related to sanctioning employees for impermissible disclosures and for mitigating the hannful effects of disclosures. Therefore, the actions of Arm Arbor generally comport with the requirements of 45 C.F.R. and of the Privacy Rule. To resolve the remaining issues raised in this matter, Ann Arbor took the following voluntary actions: 1) Sanctioned the responsible employee and 2) Noti?ed and apologized to the affected individuals. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. in the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Seth Wainer, Equal Opportunity Specialist, at (312) 886-5897 (Voice) or (312) 353-5693 (TDD). Sincerely, . 117*? Celeste I-l. Davis Acting Regional Manager