OFFICE OF THE SECRETARY
Of?ce for Civil Rights, Region 
233 N. Michigan Ave, Suite 240
Chicago, IL 60601

DEPARTMENT OF HEALTH HUMAN SERVICES
Voice - (312} 385-2359

TDD - (312} 353-5593
(FAX) - {312) 386-130?



May 26, 2011

Ms. Andrea Wilson

VHA Privacy Implementation Coordinator
VHA Privacy Of?ce 

01 Central Of?ce

810 Vermont Avenue, NW

Washington, DC 20420

Re: Louis Stokes - Breach Report
OCR Transaction Number: 1 1-124618

Dear Ms. Wilson:

On January 20, 2011, the US. Department of Health and Human Services (HHS), Office for
Civil Rights (OCR), Region received a breach report, required by 45 C.F.R. l64.408, from
Louis Stokes Brecksville VAMC (Louis Stokes). Based on this breach report, OCR investigated
whether Louis Stokes is in compliance with the Federal Standards for Privacy of Individually
Identi?able Health information andfor the Security Standards for the Protection of Electronic
Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy
and Security Rules), and the Breach Noti?cation for Unsecured Protected Health Information
Regulations (45 CPR. Parts 160 and 164, Subpart D, the Breach Noti?cation Rule).
Speci?cally, the breach report states that applicants for Phlebotomy positions at Louis Stokes
were asked to draw blood from 10? patients as part of an employment interview process. The
applicants were then asked to identify the patients using the lab labels which contained Social
Security numbers, names, and tests ordered. This breach report could re?ect violations of 45
C.F.R. 164.502(a) and 

OCR enforces the Privacy and Security Rules, and the Breach Noti?cation Rule, and also
enforces Federal civil rights laws which prohibit discrimination in the delivery of health and
human services because of race, color, national origin, disability, age, and under certain
circumstances, sex and religion.

OCR has reviewed the matter raised in the breach report. On March 7, 2011, OCR noti?ed
Louis Stokes of this complaint. On April 15, 2011, Louis Stokes provided a 1written response to
OCR. OCR subsequently reviewed additional responses and information from Louis Stokes.
Based on our review of the facts and circumstances of this matter, we have determined that all of
the issues raised in this matter at the time it was reported have now been resolved by the
voluntary compliance actions of Louis Stokes.

Louis Stokes stated that, between August 26, 2010 and September 2, 2010, the PHI of 107
patients was impermissiny disclosed. Louis Stokes explained that job applicants were asked to
verify patient information on a requisition slip and draw blood on the patients as part of the

Page 2

interview for the position. Upon learning of this matter, Louis Stokes initiated an Administrative
Investigation Board (AIB). On November 24, 2010, the Louis Stokes Medical Center Director
reviewed and approved the recommendations for resolving this matter.

The Privacy Rule mandates that a covered entity may not use or disclose protected health
information (PHI), except as permitted or required by the Privacy Rule. S_ee, 45 C.F.R. 
The Privacy Rule also requires a covered entity to have in place appropriate
administrative, technical, and physical safeguards to protect the privacy of PHI, including
reasonable safeguards to protect against any intentional or unintentional disclosure in violation of
the Privacy Rule. S_ee_ 45 C.F.R. 

To resolve the issues raised in this matter, Louis Stokes took the following voluntary actions: I)
sanctioned the responsible supervisory employees involved in the breach, 2) retrained all of the
lab department employees on safeguarding protected health information, 3) revised its
procedures to utilize an arti?cial training arm for employment interviews, and 4) provided
written notice, apologies, and offers of credit monitoring for one year to the affected individuals.
All matters raised by this complaint at the time it was ?led have now been resolved through the
voluntary compliance actions of Louis Stokes.

Based on the foregoing, OCR is closing this case without ?n'ther action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Seth Wainer, Investigator, at
(312) 886-5897 (Voice) or (312) 353-5693 (TDD).

Sincerely,



Celeste H. Davis
Acting Regional Manager