olmo?



#593?th

DEPARTMENT OF HEALTH HUMAN SERVICES
Voice - (312) 336-2359

TDD - (312} 353-5693

(FAX) - (312} 336-130?

h?QTwawhh? gg?ggu

OFFICE OF THE SECRETARY
Of?ce for Civil Rights, Region 
233 N. Michigan Ave, Suite 240
Chicago, IL 60601

September 3, 2013

 

{bll?libllIHCl

 

 

 

Andrea Wilson, RHIA, MAM, 
Privacy Implementation Coordinator
Department of Veterans Affairs
Veterans Health Administration

VHA Privacy Office 

810 Vermont Ave., NW.

Washington DC 20420

WW) v. De artment of Veterans Affairs
OCR Transaction Number: 1 1-125026

Dear 
Ms. Wilson:

Re:

On February 25, 2011, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), Region V, received a complaint ?led I the complainant,
and alleging that the Department of Veterans Affairs (VA), through its Louis Stokes Veterans
Administration Medical Center (LSVAMC), the covered entity, violated the Federal Standards
for Privacy of Individually Identi?able Health Information andfor the Security Standards for the
Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A,
C, and E, the Privacy and Secmity Rules). Speci?cally,m alleged that,
discovered that I a personnel health doctor employed at LSVAMC,
had impennissibly used protected health information (PHI) from VA patient
record without his authorization. ?n'ther alleged that his PHI to
make a determination about his ?tness to return to his - sition as a shuttle bus driver at
LSVAMC following several medical leaves of absence. stated that the PHI tha

?346?me obtained from his personal medical record was unrelated to the medical condition that
was the basis for his medical leaves of absence. further alle ed that 0343303033)

another LSVAMC personnel health doctor, subsequently disclosed {bji?immim PHI to
Human Resources Department which used his PHI as a basis to disqualify him from
returning to his position as a Motor Vehicle Operator. These allegations could re?ect violations
of 45 CPR. 164.502 and 164.514 of the Privacy Rule, respectively.

 

 

 

OCR enforces the Privacy and Security Rules, and the Breach Noti?cation Rule. OCR also
enforces Federal civil rights laws which prohibit discrimination in the delivery of health and
human services because of race, color, national origin, disability, age, and under certain
circumstances, sex and religion.

 

Page 2 {bii?iibimm and Andrea Wilson

 

 

 

OCR has reviewed the matters raised in the complaint. OCR interviewed and has
reviewed the supplemental information that he provided to OCR. On April 2, 2012, and in
response to subsequent data requests, the VA provided a written response and supporting
documentation to OCR.

From June 2010 to December 2010, presented to the Personnel Health Unit on
multiple occasions pertaining to ?tness or duty evaluations following his knee surgery and an
on-the?job injury. During the process of I
interviewed him regarding his medical history, obtained PHI from (?Halibimici VA patient
medical ?le, and reviewed information tha primary care physician provided. On
November 5, 2010, supervisor requested that a Fitness for Duty examination be
performed on {bii?iibimm ecause he was unable to perform the full ran .e of duties associated
with his positlon as a Motor Vehicle Operator. On December 16, 2010, signed a
?Certi?cate of Medical Examination? form attesting that the information that rovr ed during
his Fitness for Duty examination was correct. On December 22, 2010, sent a
memorandum to the Chief of Human Resources Management Services which indicated that
based on the December 16, 2010, medical evaluation that she conducted, was not
physically fit to perform the functional requirements for the position of a Motor Vehicle
Operator.

 

 

 

 

 

 

 

The Privacy Rule at 45 C.F.R. 164.502 states that a covered entity may use or disclose for
its own treatment, payment, or health care operations. Treatment means the provision,
coordination, or management of health care and related services by one or more health care
providers, including the coordination or management of health care by a health care provider
with a third party; consultation between health care providers relating to a patient; or the referral
of a patient for health care from one health care provider to another.

 

 

In this case, libiisiibimici {b {i patient PHI to rovide health care
services when they conducted examinations and evaluations of {blisiibmim Therefore,

 

 {blt?3lxiblmicl  use of {blimibmm patient PHI is permitted under the Privacy Rule

 

because the information was used for treatment purposes.

The Privacy Rule at 45 CPR 164.514(d) states that covered entities must implement reasonable
minimum necessary policies and procedures that limit how much PHI is used, disclosed, and
requested for certain purposes. These minimum necessary policies and procedures also
reasonably must limit who within the entity has access to PHI, and under what conditions, based
on job responsibilities and the nature of the business. The minimum necessary standard does not
apply to disclosures to or requests by a health care provider for treatment purposes. 
used HI for treatment purposes which is also permitted by the Privacy Rule.

The VA Human Resources Of?ce serves as the Workman?s Compensation coordinator between
VA facilities and the U.S. Department of Labor (DOL). The VA indicated that designated
employees in its Human Resource Of?ce utilize information that they receive from the VA

 

 

 

Page 3 and Andrea Wilson

 

Personnel Health Division in the performance of their duties and to exchange information, when
necessary, with DOL.

 

I completed a Federal Employee?s Notice of Traumatic Injury and
Claim for Continuation of Payr'Compensation (form The form states that hereby
authorize any physician or hospital (or any other person, institution, corporation or government
agency) to furnish any desired information to the U.S. Department of Labor, Of?ce of Workers?
Compensation Program (or to its of?cial representative). This authorization permits any official
representative of the Office to examine and to copy any records concerning me.? The 
form contains a section that asks for the name and contact information of the physician who first
provided medical care to the injured employee and a section that asks if medical reports show
that the injured employee is disabled for work. The VA indicated that {blisjibm was the ?rst
physician to provide medical care to on June 29, 2010, and that was
disabled for purposes of work. The VA forwarded this completed form to the Department of
Labor?s Of?ce of Workers" Compensation.

 

 

The Privacy Rule at 45 CPR. 164.512 states that a covered entity may disclose PHI as
authorized by and to the extent necessary to comply with laws relating to workers1r compensation
or other similar programs, established by law, that provide bene?ts for work-related injuries or
illness without regard to fault. Therefore, land lggl?t?irblm  were permitted to disclose
PHI to the LSVAMC Human Resource Department so that it could process and
forward information related to Wworker?s compensation claims to DOL.

The VA also submitted its policies and procedures for using and disclosing PHI to OCR. OCR
has determined that these policies and procedures generally comport with the requirements of the
Privacy Rule.

Although the Privacy Rule permits a covered entity to use and disclose PHI for purposes of
treatment, payment, and health care operations, the VA indicated that violated its
internal policy by accessing and using {bli?llbliilicl PHI without his written authorization. The
VA took the following voluntary compliance action to address this concern: 1) developed a
System Operating Procedure (SOP) which states that VA employee health providers must obtain
an employee?s authorization prior to accessing an em lo ee?s patient medical record; 2) trained
staff regarding the new and 3) provided lindividual training regarding the new
SOP.

 

 

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

 

 

 

Page4 and Andrea Wilson

 

If you have any questions regarding this matter, please contact Cassandra Griffin, Investigator, at
(312) 353-0911 (Voice) or (312) 353-5693 (TDD).

Sincerely,



Celeste H. Davis
Regional Manager