film.?

do m1"! 

OFFICE OF THE SECRETARY
Office for Civil Rights, Region 
233 N. Michigan Ave, Suite 241}
Chicago, IL 60601

DEPARTMENT OF HEALTH HUMAN SERVICES
Voice - (312) 836-2359

TDD - {312) 353-5693

(FAX) - {312) 836-130?



December 5, 201 

 

{bMBliblUl'iCl

 

 

 

Andrea Wilson

Privacy Implementation Coordinator

VHA Information Access Privacy O?ce (IOPZCI)
Veterans Health Administration

810 Vermont Avenue, NW.

Washington, DC. 20420

Re: v. Louis Stokes Cleveland Veterans Affairs Medical Center
OCR Transaction Number: 1 1-124718

b6.bTC


Ms. Wilson:

On March 1, 2011, the U.S. Department of Health and Human Services I 8), Of?ce for Civil
Rights (OCR), Region V, received a complaint ?led by complainant, and
alleging that Louis Stokes Cleveland Veterans Affairs Medical Center (Cleveland VAMC) the

covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health
Information andfor the Security Standards for the Protection of Electronic Protected Health

Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privao and Securi
Rules). Speci?cally, alleges that in December 2010, she learned that
an employee of Cleveland VAMC, irnpermissibly used protected health information (PHI) in
2004 by accessing PHI without a le itimate business reason for doing so and later
impermissiny disclosed WSW "(Ci PHI. further alleges that the impemiissible
disclosure made by (W51 may have prevent from obtaining employment at
the Cleveland VAMC. This allegation could re?ect violations of 45 C.F.R 164.502(a) and


OCR enforces the Privacy and Security Rules, and the Breach Noti?cation Rule, and also
enforces Federal civil rights laws which prohibit discrimination in the delivery of health and
human services because of race, color, national origin, disability, age, and under certain
circumstances, sex and religion.

 

 

 

 

 

OCR has reviewed the matter raised in the complaint. On August 17, 201 1, OCR noti?ed the
Veterans Health Administration (VHA) of this complaint. On October 21, 2011, OCR received
the written response to its investigation, along with supporting documentation. OCR
subsequently received additional data responses and information from the VHA. Based on our

 

Page 2

review of the facts and circumstances of this matter, OCR has determined that all matters raised
by this complaint at the time it was ?led have now been resolved by the voluntary compliance
actions of the VHA.

It its response, the VHA acknowledged that accessed medical record
without the need to know in the performance of her of?cial duties on June 24 and October 27,
2004. The VHA reported that it conducted a risk assessment upon review of these ?ndings and
subsequently reported the incident as a breach on website on March 15, 2011. The VHA
also reported that it quickly gave  indiv dualized training on permissible access to
Veteran medical records and referred the situation to Service Chief, who asserted he
had given her verbal counseling regarding the matter.

 

 

 

The VI-IA also reported that it found no evidence to support the allegation that  may
have been prevented from obtaining employment due to any impermissible disclosure or the
impermissible use that occurred in 2004. In her initial complaint, identi?ed two
individuals who may have knowledge related to the disclosure allegation and its affect on her
obtaining employment at the Cleveland VAMC. On November 7, 2011, OCR contacted
and explained that OCR would need to interview those individuals, if not others, to fully
investigate her disclosure of PHI allegation. stated that she preferred for OCR to
close its investigation of the disclosure issue without conducting interviews, as she planned to
pursue the employment discrimination issues through other avenues.

The Privacy Rule prohibits a covered entity from using and disclosing PHI, except as permitted
or required by its provisions. 45 CPR, A covered entity must also maintain
reasonable and appropriate administrative, technical, and physical safeguards to prevent
intentional or unintentional use or disclosure of PHI. 45 C.F.R. 

In this case, the evidence of record shows that impermissiny used PHI
when she accessed it without a business reason for doing so. To resolve the issues raised in this
matter, the VHA took the following voluntary actions: 1) sent a letter of apology to
2) attempted to mitigate any potential damage credit by offering her a year of
identity theft protection; 3) provided training to I on February 22, 2011, focusing on
accessing patient records of employees and appropriate access when there is a need to know to
execute of?cial duties; and 4) on October 25, 2011, re-educated Cleveland VAMC social
workers and social work administrators regarding when employees may access patient records.
VHA submitted documentation of the training and re-education to OCR. During the course of
this investigation, VHA provided OCR with copies of Cleveland policies related to
using, disclosing, and safeguarding PHI. These policies generally comport with the requirements
of the Privacy Rule.

 

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in ?iis
complaint that were reviewed by OCR.

 

Page 3

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly,' unwarranted invasion of persona!
privacy.

If you have any questions regarding this matter, please contact Felicia Clay, OCR Investigator, at
(312) 886-5078 (Voice) or (312) 353-5693 (TDD).

Sincerely,

rf?/a

Celeste H. Davis
Acting Regional Manager