??irts.
yd DEPARTMENT OF HEALTH 3: HUMAN SERVICES OFFICE OF THE SECRETARY

 

g1 ?lhlru.&

 

 

 

 

?l'oicc - {214} tat?ans, (sin) anemia TDD - {214) tar?star: Office for Civil Rights, Region VI
13$ FAX hr twine m- 1301 Young Street, Suite 1169
team Dallas, TX $5202

Carol Farer
VHA Privacy Specialist, CIPPIG, CHPC
Information Access and Privacy Ofiice- 10P2C1  '0 5 2012
Department of Veterans Affairs-Veterans Health Administration
310 Vermont Ave, NW

Washington, DC 20420

Our Reference Number: 11-127156

Dear and MS. Farer:

The Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a
complaint on May 03, 2011, alleging that the South Texas Veterans Health Care System! Audie
L. Murphy VA Hospital is not in compliance with the Federal Standards for Privacy of
Individually Identi?able Health Information (45 CPR. Parts 160 and 164, Subparts A and E, the
Privacy Rule).

Speci?cally, the complainant, alleges that while she was a patient waiting for
surgery in a surgery holding unit at the Audie L. Murphy VA Hospital (VA) on February 15,
201 1, hospital personnel discussed, in her presence, information about other surgical patients
including the reason one patient required surgery. For example, the complainant asserts a VA
representative told a VA nurse that: "Girl, she is having surgery on her hands because she put
her hands through a window because she was mad at her boyfriend.? These allegations could
re?ect a violation of 45 CPR. 164.502, 16453003), and 

OCR enforces Federal civil rights laws that prohibit discrimination in the delivery of health and
human services because of race, color, national origin, disability, age, and, under certain
circumstances, sex and religion. OCR is also responsible for enforcing the Privacy and Security
Rules as they apply to ?covered entities.? Covered entities include health care clearinghouses,
health plans, and health care providers that transmit health information in electronic form in
connection with a transaction for which HHS has adopted standards. See 45 C.F.R. Part 162.

A covered entity may use or disclose protected health information only as permitted or required
by the Privacy Rule. 45 C.F.R. Consequently, other than for treatment, payment,
or health care operations, a covered entity may use or disclose protected health information
without a valid written authorization only in situations described in 45 CPR. 164.512, such as
when a disclosure is required bylaw. See 45 C.F.R. 164.502(a) and 164.512. Further, a
covered entity must reasonably safeguard protected health information from any intentional or
unintentional use or disclosure that is in violation of the Privacy Rule. See 45 CPR 


In addition, covered entities must train all members of its workforce on the policies and

 

 

 

procedures with respect to protected health information as appropriate for the members of the
workforce to carry out their function within the covered entity. 45 C.F.R 
Similarly, a health care provider must have in place appropriate sanctions against members of its
workforce that fail to comply with privacy policies and procedures of the health care provider or
the Privacy Rule. 45 C.F.R. 

The Veterans Health Administration (VHA) responded to the complainant?s allegations on May
8, 2012, and concluded after an internal investigation that the allegations were valid. To address
the issues stated in the complaint, the era required the entire operating room staff of the Audie
L. Murphy VA Hospital to undergo privacy training on the. necessity of safeguarding protected
health information from being heard outside of the clinical setting. The VHA also issued a letter
of apology to the complainant and noti?ed the individual who was the subject of the ?holding
room? discussion about the incident and the procedures to follow if she wishes to pursue a
complaint with the VHA or OCR.

OCR provided technical assistance to the VHA and informed them that the actions of several
staff members may also constitute an impermissible use and disclosure of protected health
information under the Privacy Rule. To address this issue raised by OCR, the acility?s Privacy
Of?cer conducted additional training regarding the uses and disclosures of a patient?s protected
health information.

All issues raised by this complaint at the time it was ?led have now been resolved through the
voluntary compliance actions of the Veterans Health Administration. Therefore, OCR is closing
this case. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Betty Robinson, Investigator, at
(214) 767-40?3.

Sincerely, .

Ralph D. Rouse -
Regional Manager, Region VI