0?3?me



 

.99" a.

DEPARTMENT or HEALTH HUMAN SERVICES OFFICE or THE SECRETARY
Voice - (312; ass-2359 Office for Civil 
TDD - {312) 353-5693 233 N. Michigan Ave, Suite 240
?mm (FAX) - i312; sac-1807 Chicago, IL 60601
I 
April 4, 2013

 



 

 

 

Vicki L. Bowman, 
VHA Privacy Specialist
Veterans Health Administration
VHA Privacy Office 
810 Vermont Ave, NW.
Washington, DC. 20420

 

(bli?llb) - -
Re: mini v. Battle Creek Veterans Affairs Medical Center

OCR Transaction Number: 12-133395

Dear (bli?lleOIC) 

Ms. Bowman:

 

 

 

On October 17, 2011, the US Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), Region V, received a complaint ?led by the complainant, and
alleging that the Battle Creek Veterans Affairs Medical Center (VA) has violated the Federal
Standards for Privacy of Individually Identi?able Health Information and/or the Security
Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 1'60 and
164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, IleBl'lbl??liC) a Fire
Service em loyee and patient at the VA, alleges that, from January through May 2011, I

a VA Employee Health Physician, impermissiny used his protected health
information PHI) when she accessed his treatment records without a valid authorization to do
so. ?thher alleges continued to inappropriately access his PHI
even after the VA received revocation of the authorization it had on record. These
allegations could reflect violations of 45 CPR. 164.502(a) and 164.503(a) of the Privacy
Rule.

 

OCR enforces the Privacy and Security Rules, as well as the Breach Notification Rule. OCR
also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and
human services because of race, color, national origin, disability, age, and under certain
circumstances, sex and religion.

OCR has reviewed the matters raised in the complaint. On September 21, 2012, OCR noti?ed
the VA of this complaint. On November 20, 2012, the VA provided OCR with a written
response, along with supporting documentation. OCR subsequently received additional
responses and documentation from the VA. Based on our review of the facts and circumstances

Page 2

of this matter, we have determined that all of the issues raised in this matter at the time it was
?led have now been resolved by the voluntary compliance actions of the VA.

In its response to OCR the VA reported that it had received a privacy complaint from
gainst in June 2011 and had conducted an internal investigation into

the matter. The VA reported that its internal investigation revealed that had

accessed (bilaibmw PHI on multiple occasions during the relevant time period without ?rst

obtaining a valid authorization to do so. The VA further reported that, under I
direction, had signed a blank authorization form entitled, ?Authorization to Release

Medical Records or Health Information.? The VA reported that 

sub -uentl completed the form so that it indicated that had authorized

Wm access his PHI. The VA concluded that had not suf?ciently

explained the blank authorization form to {bll?libllim prior to obtaining his signature. The VA

reported that on July 1, 2011, (W5?inle submitted a revocation of the authorization to the VA.
The VA reported that accessed PHI one more time following the

 

 

 

revocation. The VA provided OCR with copies of written and signed statements, dated July 29
2011 from (biometric: agd a va secretary, in which they state that
{bllmibmm access of {mml'ibmm PHI following the revocation was an oversight.

The Privacy Rule mandates that a covered entity may not use or disclose PHI except as permitted
or required by the Rule. Sic 45 C.F.R. 164.502 For example, the Privacy Rule permits a
covered entity to disclose PHI, without authorization, to the individual or his or her personal
rcpresentative, as well as for purposes of treatment, payment, and healthcare operations. 5% 45
C.F.R. For uses and disclosures of PHI not otherwise allowed by the Privacy
Rule, the individual?s authorization is required. Sic 45 CPR. A valid
authorization is a document that meets the requirements set forth at 45 C.F.R. 
Generally, an individual may revoke an authorization at any time, provided that the revocation is
in writing. 45 C.F.R. 

In this case, accessed PHI pursuant to an invalid authorization
that was not properly completed by To resolve the issues raised in this matter, the
VA took the following voluntary compliance actions: (1) sanctioned libitciibitiitci  in
accordance with its sanctions policy, by providing her with verbal counseling regarding its
requirements for obtaining a valid authorization to use or disclose PHI and her obligation to
ensure that she has a valid authorization prior to accessing PHI when such authorization is
required; and (2) in November 2012, submitted a breach noti?cation report to OCR and
OCR has reviewed the policies and procedures related to uses and disclosures of
PHI and has determined that they generally comport with the requirements of the Privacy Rule.

 

 

Based on the foregoing, OCR is closing this case without thither action, effective the date of this
letter. determination as stated in this letter applies only to the matters that were reviewed
by OCR.

If you have any questions, please do not hesitate to contact Deepali Doddi, J.D., Investigator, at
(312) 886-0102 (Voice), (312) 353-5693 (TDD), or by e-mail at Deepali.Doddi@hhs.gov.
Please be advised that communication by e-mail presents a risk of disclosure of the
transmitted information to, or interception by, unintended third parties. Please keep this in mind

Page 3

when communicating with us by e-mail. When contacting this of?ce, please remember to
include the transaction number that we have given this ?le. That number is located in the
reference line of this letter.

Sincerely,



Celeste H. Davis
Regional Manager