.a

SE DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY
e. voice - {214} tar-4055. TDD - (214) tar-am. (ace) 363-1019
it - (214) war-0432 Of?ce for Civil Rights, Region VI
mimic: 1301 Young Street, Suite 1169

Dallas, TX 75202

April 11, 2012

 



 

 

 

Ms. Andrea Wilson, MAM, 
Privacy Implementation Coordinator
Veterans Health Administration

VHA Privacy Of?ce (IOPZCI)

810 Vermont Ave. NW.

Washington, DC 20420

Our Transaction Number: 1 1- 125 538

 

b6,bi?C .
Dear i and Ms. Wilson:

 

 

 

On March ?17, 2011, the US. Departrnent of Health and Human Services (HI-IS), Of?ce
for Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards
for Privacy of Individually Identi?able Health Information andfor the Security Standards
for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and
164, Subparts A, C, and E, 1the Privacy Rule and Secmity Rules). Speci?cally, the
complainant, liblielibliilic? Ialleged that after having billing issues with Central
Texas Veterans Healthcare System she found that some of her co?workers had
accessed her medical record without permission to do so and without an authorization.
The alleged incident could re?ect violations of 4S C.F.R. concerning uses
and disclosures of protected health information (PHI) and 164.530{c) and regarding
safeguards.

 

 

OCR enforces the Privacy Rule, Security Rule and also enforces Federal civil rights laws
which prohibit discrimination in the delivery of health and human services because of
race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

We have reviewed the matters raised in the complaint. On January 4, 2012, OCR noti?ed
the Central Texas Veterans Healthcare System of the complaint.

By letter dated February 15, 2012, OCR received a response to the complainant?s
allegation from Ms. Andrea Wilson, Privacy Implementation Coordinator, Veterans
Health Administration (V HA) Privacy Of?ce-

Ms. Wilson informed OCR the facility Privacy Officer (PO) and the VHA Privacy Of?ce
has thorougth reviewed the complaint. The facility PO ?rst met with the complainant in
February 201 1, when the complainant had a billing issue which was resolved. However,

 

the complainant then asked the PO who had accessed her health record. The P0 provided
a Sensitive Patient Access Report (SPAR) to the complainant and sat with her to go over
the list of staff who had accessed her record. The complainant had concerns with two
employees, Medical Administrative Specialist, Administrative Of?cer
of the Day (AOD) and Social Worker. A statement from AOD
indicates that the complainant was admitted to the Emergency Department
(ED) where the AOD was on duty that day. The A01) is responsible for checking in ED
patients, making the wristband, and following up on discharge orders.

 

Ms. Wilson provided OCR with copies of statements from PO,
{blt?ltbl and 

 

The statement from Social Worker, shows that he accessed the record on
May 8, 2009; however, he cannot recall accessing the record i s, so long ago and
that he wouldn?t have accessed it for any malicious manner. Ilblillbl?ilcl stated that the
incident happened in 2009 and he could assure that this was not in a coercive manner and
at the time he was working in the ED. He stated that he can assure that he did not disclose
any information of the complainant to others. statement indicated that as
the ADD, she accessed the complainant?s record on numerous times. Her purpose was to
check on orders, review discharge notes because she is responsible for discharging
patients from the ED, checking a patient in, run armbands and labels. {blielibllilicl stated
that following up on doctor?s orders is something that she does on a regular basisw
PO, stated that he was informed of complainant?s content, found out a
mistake was made regarding her address, briefed the complainant on the error and then
the complainant requested that an audit be done on her records so that she could review
an activities that she felt was inappropriate or disclosed. That audit was done and
assured the complainant that they had investigated her concerns to the
fullest. stated in his statement that the complainant requested and was
rovided with a review of her electronic medical record which was conducted by
Chief HIMSfAlternate P0. At that time the complainant did not voice any
concerns with any documentation within her record.

 

 

 

A letter was sent to the complainant and Ms. Wilson provided OCR with a copy of the
letter that was sent by the Director. In addition, their Patient Access Report was I vided
to OCR which showed that the ADD accessed the complainant?s record and
accessed it one time as he admitted to but could not recall why he did since it was in

2009. The Patient Access Report continued that it was in the year 2009. Further, Ms.
Wilson provided OCR with a copy of the job description

Ms. Wilson provided OCR with a copy of Policy and Procedures on Privacy and
the Release of PHI which included the Uses and Disclosures of and Safeguards of
PHI. When reviewed by OCR, they appear to comply with the requirements of the
Privacy and Security Rule.

Based on our review of the facts and circumstances of this matter, OCR has determined
that VHA conducted an internal investigation in which they met with the complainant,
discussed her concerns and issues, provided her access to her records and the Patient
Access Report. Her concerns were addressed and the outcome of their investigation was

 

explained to the complainant. The P0 found that the access by the ACID was in the
performance of her job duties and that the access by the social worker which was done in
2009, was most likely done in error; however, he did provide additional training on
accessing records by the ?rst initial of the last name and the last four digits of the social
security number instead of accessing using names in order to eliminate the possibility of
selecting the wrong patient. After all of the complainant?s discussions and concerns with
the P0, a letter was also issued to the complainant by the Director informing her of their
outcome and informing her that if she has any ?irther concerns or need additional
information to contact the PO. OCR has determined that no further OCR action is
warranted, and therefore is closing this matter.

determination as stated in this letter applies only to the allegations in this
complaint that was reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and
other information about this case upon request by the public. In the event OCR receives
such a request, we will make every effort, as permitted by law, to protect information that
identi?es individuals or that, if released, could constitute a clearly unwarranted invasion
of personal privacy.

If you have any questions regarding this matter, please contact Adriane Springs, Equal
Opportunity Specialist, at (214) 767-4690 (Voice), or (214)767-8940 (TDD). Thank you
for bringing this matter to our attention.

Sincerely,

Ralph D. Rouse
Regional Manager