yam?

DEPARTMENT OF  3c HUMAN SERVICES OFFICE OF THE SECRETARY

 

 

 Voice - (214) ?6?-4056. (soc) ass-iota TDD . (214) tar-seam Of?ce for Civil Rights, Region VI
'5 FAX - (214) ass-cor i gamma: not Young Street, Suite use
Dallas,Tx 75202

. 
JUN 132012 i
i
{bli?lfbliilfcl 

 

 

 

Our Transaction Number: 1 1.13109?

Deal- {bil?llbilil 

On July 28, 201], the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region VI received your complaint alleging that the Department of Veteran
Affairs, the covered entity, has violated the Federal Standards for Privacy of Individually
Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy
Rule). Speci?cally, you allege that, on July 25, 2011, you received a phone call from a man
identifying himself as li'i?l'iaimimic?J informed you that he received your
military record and medical record in the mail from the epartrnent of Veteran Affairs. This
allegation could re?ect a violation of 45 C.F.R. 164.502(a) and 

 

 

 

Thank you for bringing this niatter to attention. Your complaint plays an integral part in
enforcement efforts. 
OCR enforces the Privacy, Siecurity, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion. 

The Privacy Rule permits ceriain incidental uses and disclosures of protected health information
(PHI) that occur as a by-product of another permissible or required use or disclosure of PHI, as
long as the covered entity has applied reasonable safeguards and implemented the minimum
necessary standard, where applicable, with respect to the primary use or disclosure. See 45
CPR. For example, the Privacy Rule permits covered health care providers
to share PHI for treatment purposes without patient authorization as long as they use reasonable
safeguards when doing so; These safeguards may vary depending on the mode of
communication used. For dxarnple, when discussing patient health information orally with
another provider in proximity of others, a doctor may be able to reasonably safeguard the
information by lowering his/liar voice.


We have carefully reviewed your complaint against the Department of Veteran Affairs and have
determined to resolve this matter informally through the provision of technical assistance to the
Department of Veteran Affairs. Should OCR receive a similar allegation of noncompliance
against the Department of Veteran Affairs in the future, OCR may initiate a formal investigation

of that matter. i

Based on the foregoing, is closing this case without further action, effective the date of this
letter. determinatiorit as stated in this letter applies only to the allegations in this
complaint that were reviewed'hy OCR.

 

Under the Freedom of Infoniia?on Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regalrding this matter, please contact Vaniecy Nwigwe, Investigator, at
214-767-4054 (Voice), 2144673940 (TDD).

Sincerely,

54',

Ralph D. Rouse
Regional Manager Region VI
Regional Manager

 



with

qt

 

 

if an DEPARTMENT OF  3: HUMAN SERWCES OFFICE OF THE SECRETARY
voice - (214) rot-toss, (soc) 363-1le TDD - {214) rot?394:} Of?ce for Civil Rights, Region VI
Jpql'il?.

FAX - (214) totem . WW 1301 Young Street, Suite use
i Dallas, Tx 752s:

JUN 18 2012 

Ms. Andrea Wilson, RHIA, CIPPIG

VHA Privacy ImplementationiCoordinator
Information Access and Privady Of?ce-1 0P2C1
Department of Veteran Affairsi-Veteran Health Admin.
810 Vermont Avenue, N.W. 3

Washington, DC. 20420 

Our Transaction Number: 11-l131097

Dear Ms. Wilson: i

On July 23, 201 1, the U.S. Diepartment of-Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region VI received a complaint alleging that the Department of Veteran Affairs,
the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able
Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule).
Speci?cally, the complaint alleges that. the Department of Veteran Affairs mailed the military
record and medical record  I to Itblt?libltl'ltcl I This allegation
could re?ect a violation of 45 has, 164.502(a) and 


OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion. 



 

The Privacy Rule permits certain incidental uses and disclosures of protected health information
(PHI) that occur as a lay-product of another permissible or required use or disclosure of PHI, as
long as the covered entity  applied reasonable safeguards and implemented the minimum
necessary standard, where applicable, with respect to the primary use or disclosure. See 45
CPR. example, the Privacy Rule permits covered health care providers
to share PHI for treatment purposes without patient authorization as long as they use reasonable
safeguards when doing soi These safeguards may vary depending on the mode of
communication used. For example, when discussing patient health information orally with
another provider in proximity of others, a doctor may be able to reasonably safeguard the
information by lowering hisflier voice.

In this matter, the complainant alleges the incidental use or disclosure of PHI was not
permissible, either because reasonable safeguards were not in place to prevent the use or
disclosure andfor because the; minimum necessary standard was not implemented when it should
have been. Pursuant to its authority under 45 C.F.R. 160.304{a) and OCR has determined
to resolve this matter informally through the provision of technical assistance to the Department
of Veteran Affairs. To that end, OCR has enclosed material explaining the Privacy Rule
provisions related to Incidental Uses and Disclosures, Reasonable Safeguards, and the Minimum

Necessary requirement.
You are encouraged to revievir these materials closely and to share them with your staff as part of


 

the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been an
incident of noncompliance asQalleged by the complainant in this matter, and, if so, to take the
steps necessary to ensure such: noncompliance does not occur in the future. Please contact OCR
if you need further information regarding the allegations in this matter. Should OCR receive a
similar allegation of noncompliance against the Department of Veteran Affairs in the future,
OCR may initiate a formal investigation of that matter.


Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determinatiori as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upbn request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identifies individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.


If you have any questions regarding this matter, please contact Vaniecy Nwigwe, Investigator, at
214-767?4054 (Voice), meter-3940 (TDD).

Sincerely,

.  
Ralph D. Rouse i
Regional Manager Region VI 
Regional Manager

Enclosures: Incidental Disclosures
Reasonable Safeguards
Minimum Necessary