arm's

cam?:



{){Bliblm

DEPARTMENT OF HEALTH HUMAN SERVICES
Voice - {312) 886-2359

TDD - (312) 353-5693

- (312} 336-180?

OFFICE OF THE SECRETARY
Of?ce for Civil Rights, Region 
233 N. Michigan Ave, Suite 240
Chicago, IL 60601




September 3, 2013
{bli?iibliilicl

 

 

 

 

Andrea Wilson, RHIA, CIPP, CIPPIG

VHA Privacy Implementation Coordinator

Information Access and Privacy Of?ce- 10P2C1

Department of Veterans Affairs-Veterans Health Administration
310 Vermont Ave., NW

Washington, DC. 20420

 

 

 

 

 

 

 

Re: {bimi?ibimm Minneapolis VA Medical Center
OCR Transaction Number: 12-137136

Ms. Wilson:

On December 13, 201], the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), Region V, received a complaint ?led by the complainant, and
alleging that Minneapolis VA Medical Center (?Minneapolis the covered entity, has
violated the Federal Standards for Privacy of Individually Identi?able Health Information andfor
the Security Standards for the Protection of Electronic Proteoted Health Information (45 CPR.
Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). 
alleges that and {bli?llbl?licl all
employees of Minneapolis VA, impermissiny used her medical record without a legitimate
business purpose. This allegation could re?ect violations of 45 CPR. and
of the Privacy Rule.

 

 

 

OCR enforces the Privacy and Security Rules, and Breach Noti?cation Rule, and also enforces
Federal civil rights iaws which prohibit discrimination in the delivery of health and human
services because of race, color, national origin, disability, age, and under certain circumstances,
sex and religion.

OCR has reviewed the matter raised in the complaint. On October 25, 2012, OCR noti?ed
Minneapolis VA of this complaint. On November 15, 2013, Minneapolis VA provided a written
response to OCR, along with supporting documentation. OCR subsequently received additional
responses and information from Minneapolis VA. Based on our review of the facts and
circumstances of this matter, we have determined that all of the issues raised in this matter at the
time it was ?led have now been resolved by the voluntary compliance actions of the Minneapolis
VA.

Page 2

In its response to OCR, Minneapolis VA stated it conducted an internal investigation of this
matter. Minneapolis VA reported that, on September 6, 2011, requested a copy of
her Sensitive Patient Access Report (SPAR), which showed that I
accessed the complainant?s medical record twice. On September 20, 201], the facility privacy

of?cer interviewedlibiiwbim'm Iacknowledged knowing and workin with the
complainant, but stated she did not access the complainant?s medical record. {blimiblmm

believed she left her computer unlocked and unattended and someone may have accessed the
complainant?s medical record.

 

 

 

Minneapolis VA also reported that another individual mentioned in the complaint,
had accessed record twice on February 14, 2009; and a ain on December 3, 2010
and December 6, 2010. The facility privacy of?cer interviewedliblislibimici lwho stated that she

worked on the same unit as {bii?libili'lici but that she did not recall accessing {Miami-MC)
medical record. stated she believed she left her computer unlocke . and someone
else might have lrecord. {bii?ilibm . the third individual mentioned in the

complaint was determined to have a legitimate business purpose for accessing 
record.

 

 

 

 

 

 

Minneapolis VA reported to OCR that and were both disciplined in
accordance with the disciplinary actions outlined in the VA Handbook 5021, Part 1 Appendix A
for their impermissible use of medical record. As part of the investigation,
Minneapolis VA provided OCR a copy of Appendix A.

The Privacy Rule mandates that a covered entity may not use or disclose PHI, except as
permitted or required by the Privacy Rule. 45 C.F.R. The Privacy Rule also
provides that a covered entity must implement policies and procedures with respect to uses and
disclosures of and have in place appropriate administrative, technical, and physical
safeguards to protect the privacy of PHI. 45 C.F.R. A covered entity must also
have and apply appropriate sanctions against members of its workforce who fail to comply with
the privacy policies and procedures of the covered entity or the requirements of the Privacy Rule.
45 CPR. 
In this case, alleged that individuals employed with Minneapolis VA impennissibly
used her medical record. Minneapolis VA investigated and determined the actions of two of its
employees did not comport with the requirements of the Privacy Rule. Accordingly, to resolve
the issues raised in this matter, Minneapolis VA took the following voluntary eomli I - t- 
1) counseled both employees in writing regarding their impermissible use of {mmiibmm
record. In addition, during the course of this investigation, OCR reviewed the relevant privacy
policies and procedures that Minneapolis VA submitted to OCR. These policies and procedures
generally comport with the requirements of the Privacy Rule.

  
 
 
 

  

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Page 3

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Wandah Hardy, Investigator, at
(312) 353-9774 or (312) 353-5693 (TDD).

Sincerely,

WW
Celeste H. Davis
Regional Manager