Voioo- {214} 751-4056, {soc} 368-1019 I TDD - {214) Riv-3940 Of?ce for Civil Rights, Regiori VI
Fax - (214) taro-132 WW 1301 Young sneer. Suite 11:59
mihsJ'X?M

gun?:

was
?in
?g DEPARTMENT OF HEALTH a: HUMAN OFFICE OF THE SECRETARY

SEP 05 2013

 



 

 

 

OCR Transaction Number: 12-133328

 

. 
Deal. ii 
On October 6, 2011, the US. Department of Health and Human Services (HHS), Office for
Civil Rights (OCR), received your complaint alleging that the Audie L. Murphy VA Hospital
(the ?Hospital?), the covered entity, has violated the Federal Standards for Privacy of
Individually Identifiable Health Information andior the Security Standards for the Protection
of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and

E, the Privacy and Security Rules). Speci?cally, you allege that employees of the Hosital
im ermissibl accessed our EPHI. The employees include the following: _{53={bl{73{03
Imam?)le land  ib3l53=ibililicl This allegation could re?ect a violation

of 45 C.F.R. 

 

 

 

 

 

 

Thank you for bringing this matter to attention. Your complaint is an integral part of
OCR's enforcement efforts. 

OCR enforces the Privacy, Security, and Breach Notification Rules, and also Federal civil
rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

A covered entity must maintain reasonable and appropriate administrative, technical, and
physical safeguards to prevent intentional or unintentional use or disclosure of PHI in
violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to
otherwise permitted or required use or disclosure. 45 C.F.R. For example,
such safeguards might inciude shredding documents containing protected health information
before discarding them, securing medical records with lock and key or pass code, and
limiting access to keys or pass codes.

We have carefully reviewed your complaint against the Hospital and have determined to
resolve this matter informally through the provision of technical assistance to the Heepital.
Should OCR receive a similar allegation of noncompliance against the Hospital in the future,
OCR may initiate a formal investigation of that matter.

For your informational purposes, OCR has enclosed material regarding the Privacy Rule
provisions related to Safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to- release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that

 

 


I Page 2 of 2

 

 

 

identifies individuals or that, if released, could constitute a clearly unwarranted invasion of
personal privacy.

If you have any questions regarding this matter, please contact Eva Lee, Investigator, at (214)
767-0384 (Voice), (214) 767-8940 (TDD).

Sincerely,

 
  

  

orge A. 

Regional ger

Enclosure: Reasonable Safeguards

 

Reasonable Safeguards
45 C.F.R. 164.530 

A covered entity must have in place appropriate administrative, technical, and physical
safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as
well as that limit incidental uses or disclosures. See 45 C.F.R. 5164.530 It is not
expected that a covered entity?s safeguards guarantee the privacy of protected health
information from any and all potential risks. Reasonable safeguards will vary from covered
entity to covered entity depending on factors, such as the size of the covered entity and the
nature of its business. In implementing reasonable safeguards, covered entities should
analyze their own needs and circumstances, such as the nature of the protected health
information it holds, and assess the potential risks to patients' privacy. Covered entities
should also take into account the potential effects on patient care and may consider other
issues, such as the financial and administrative burden of implementing particular
safeguards. -

Many health care providers and professionals have long made it a practice to' ensure
reasonable safeguards for individuais' health information for instance:

- By speaking quietly when discussing a patient?s condition with family members in a
waiting room or other public area;

- By avoiding using patients? names in public hallways and elevators, and posting signs
to remind employees to protect patient con?dentiality;

- By isolating or locking ?le cabinets or records rooms; or

a By providing additional security, such as passwords, on computers maintaining
personal information.

Protection of patient con?dentiality is an important practice for many health care and health
information management professionals; covered entities can build upon those codes of
conduct to develop the reasonable safeguards required by the Privacy Rule.

 

arms 
i
ax DEPARTMENT OF HEALTH 8: HUMAN SERWCIES OFFICE OF THE SECRETARY

Voice- (214) 76?-4056, (soc) 363-1019 (214) rem-940 Of?ce for Civil Rights, Region VI
FAX - (214) ?67-0432 MW 1301 Young Street, Suite 1169
Dallas, 1315202

SEP 0-5 2013

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG

VHA Privacy Implementation Coordinator

Information Access and Privacy Office 10P2C1

Department of Veterans Affairs - Veterans Health Administration
310 Vermont Avenue, N.W.

Washington, DC 20420

OCR Transaction Number: 12-133328
Dear Ms. Wilson:

On October 6, 2011, the U.S. Department of Health and Human Services (HHS), Office for
Civil Rights (OCR), received a complaint alleging that the Audie L. Murphy VA Hospital (the
?Hospital?), the covered entity, has violated the Federal Standards for Privacy of Individually
Identifiable Health Information andfor the Security Standards for the Protection of Electronic
Protected Health Information (45 C.F.R. Parts 160 and 164 he
Privacy and Security Rules). Specifically, the complainant,liblialiblmicl ialleges
that employees of the Hospital impermissiny accessed his ERHI. The employees inilugf the
foliowing: lcurrent wife), {bli?liblmicl and ?3'3
This allegation could re?ect a violation of 45 C.F.R. 

 

 

 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil
rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

In this matter, the complainant alleges that the covered entity does not employ reasonabie
safeguards to prevent impermissible disclosures of protected health information (PHI). A
covered entity must maintain reasonable and appropriate administrative, technical, and
physical safeguards to prevent intentional or unintentional use or disclosure of PHI in
violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to
otherwise permitted or required use or disclosure. 45 C.F.R. 

Pursuant to its authority under-45 C.F.R. 160.304(a) and OCR has determined to
resolve this matter informally through the provision of technical assistance to the Hospital.
To that end, OCR has enclosed material explaining the Privacy Rule provisions related to
Reasonable Safeguards.

You are encouraged to review these materials closely and to share them with your staff as
part of the Health Insurance Portability and Accountability Act (HIPAA) training you provide
to your workforce. You are also encouraged to assess and determine whether there may
have been any noncompliance as alleged by the complainant in this matter, and, if so, to
take the steps necessary to ensure such noncompliance does not occur in the future. In
addition, OCR encourages you to review the facts of this individual's complaint and provide
the individual the appropriate written response swiftly if necessary to comply with the
requirements of the Privacy Rule. Shouid OCR receive a similar allegation of noncompliance
against the Hospital in the future, OCR may initiate a formal investigation of that matter. In

 

 

Ms. Andrea Wilson
Page 2 of 2

addition, please note that, after a period of six months has passed, OCR may initiate and
conduct a compliance review of the Hospital related to your compliance with the Privacy
Rule's provisions related to Reasonable Safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that
identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of
personal privacy.

If you have any questions regarding this matter, please contact Eva Lee, Investigator, at (214)
?6?-0334 (Voice), (214) 76?-8940 (TDD).

Sincerely,

 

Enclosure: Reasonable Safeguards

 

 

Reasonable Safeguards
45 C.F.R. 164.530 

A covered entity must have in place appropriate administrative, technical, and physical
safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as
well as that limit incidental uses or disclosures. See 45 C.F.R. ?164.530 It is not
expected that a covered entity?s safeguards guarantee the privacy of protected health
information from any and all potential risks. Reasonable safeguards will vary from covered
entity to covered entity depending on factors, such as the size of the covered entity and the
nature of its business. In implementing reasonable safeguards, covered entities should
analyze their own needs and circumstances, such as the nature of the protected health
information it holds, and assess the potential risks to patients? privacy. Covered entities
should also take into account the potential effects on patient care and may consider other
issues, such as the ?nancial and administrative burden of implementing particular
safeguards.

Many health care providers and professionals have long made it a practice to ensure
reasonable safeguards for individuals' health information for instance:

By speaking quietly when discussing a patient?s condition with family members in a
waiting room or other public area;

a By avoiding using patients? names in public hallways and elevators, and posting signs
to remind employees to protect patient confidentiality;

in By isolating or locking file cabinets or records rooms; or

By providing additional security, such as passwords, on computers maintaining
personal information.

Protection of patient confidentiality is an important practice for many health care and health
information management professionals; covered entities can build upon those codes of
conduct to develop the reasonable safeguards required by the Privacy Rule.