H, OFFICE OF THE SECRETARY Of?ce for Civil Rights, Region IV 61 Street, SW, Atlanta Federal Center, Suite Atlanta, GA 30303-8909 DEPARTMENT OF HEALTH 3.: HUMAN SERVICES Voice - {404) 5624836, (800) 368-1019 TDD - {40-1) 562-?384, (300) 53?-759? (FAX) {404} 562-?331 'wawhhs. v! March 25, 2013 {bll?laiblmicl Ms. Andrea Wilson, Privacy Implementation Coordinator Information Access and Privacy Of?ce? 10P2C1 Veteran?s Health Administration Department of Veterans Affairs 810 Vermont Ave, NW. Washington, DC. 20420 libli?libliilicl lvs. Charlie Norwood VA Medical Center OCR Transaction Number: 12-15023] Dear and Ms. Wilson: On October 3, 2012, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint from Complainant, alleging that Charlie Norwood VA Medical Center is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of Unsecured Protected Health hrformation (45 CPR. 164400464414). Re: Speci?cally, Itii?ttbl??l'ift?J 1 Complainant, alleges that Charlie Norwood VA Medical Center (hereinafter, impermissiny used andr'or disclosed protected health information of Complainant when on December 15, 2011, a VAMC employee accessed Complainant?s medical records impermissiny and without authorization. These allegations could re?ect violations of 45 C.F.R. 1), and respectively. 45 C.F.R. 164.502(a) states, in part, that a covered entity may not use or disclose protected health information, except as permitted by the HIPAA Privacy Rule. Also, 45 C.F.R. states that a covered entity must identity the persons in its workforce who need access to PHI to carry out their duties and the categories of PHI to which access is needed, and then make reasonable efforts to limit the access of such person to the categories of PHI as minimally necessary. 45 C.F.R. 164.528 provides individuals with a right to receive and accounting of disclosures of PHI made by the covered entity. Additionally, 4S C.F.R. states, in part, that a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, including reasonable safeguards to protect against incidental disclosures. Moreover, 4S C.F.R. states, in part, that a covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the policies and procedure of the covered entity or the Privacy Rule. Finally, 45 CPR. ?164.530(f) states, in part, that a covered entity must mitigate, to the extent practicable, any hann?ll effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. OCR noti?ed VAMC of the complaint ?led by Complainant on February 22, 2012. This noti?cation was initial written communication with the covered entity about the complaint, and it describes the act(s) andfor omission(s) that are the basis of the complaint. In response to noti?cation Andrea Wilson, Privacy Implementation Coordinator, submitted a response of behalf of VAMC on March 15, 2012. investigation included a review of the covered entity?s pertinent policies and procedures, as well as, the covered entity?s investigation into the allegations and HIPAA training documentation. Accordingly, OCR examined all of VAMC submitted policies and procedures and found no indication of noncompliance with the Privacy Rule. VAMC also provided suf?cient evidence that is trains its employees on the Privacy Rule. OCR also reviewed VAMC response. In its response, VAMC reported that it undertook an investigation prior to noti?cation by OCR and corroborates the allegations. VAMC reported that on Jul 16, 2012, Complainant ?led a complaint with VAMC regarding his supervisor,W alleging impermissible access of his PHI. Additionally, on July 23, 2012 Complainant requested an accounting of disclosures via a ?Sensitive Patient Access Report (SPAR). VAMC undertook an investigation into the employee?s access of Complainant?s records and determined that accessed Complainant?s record impermissiny on December 15, 2011. VAMC reports that on August 23, 2012 told the facility Privacy Of?cer that she had accessed Complainant?s record in order to assist Complainant with his medical leave request. VAMC reports that this access is in violation to its policies and procedures for uses and disclosures and beyond the minimum necessary requirements. VAMC provided evidence that Wwas sanctioned according to VAMC policy with a ten (10) day suspension without pay on September 5, 2012. Additionally, Complainant was offered an apology, as well as credit monitoring on August 21, 2012. Upon review of all pertinent policies and procedures that are deemed compliant with the requirements of the Privacy Rule, and the corrective actions taken by VAMC, OCR determines that all matters raised by the complaint, at the time it was ?led, have now been resolved through the voluntary compliance actions of VAMC. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Sonya Hana?, Investigator, at gov, (404) 562-78? 6 (Voice), or (404) 562-?384 (TDD). Sincerely, ,7 ,7 Roosevelt Freeman Regional Manager OCR Region IV