Voice 431213352359 ofr?e for Civil Righm?l-?sgion TDD - (312} 353.5693 233 N. Michigan Ave, Suite 240 neth - (312} ass?1307 Chicago, IL 60601 DEPARTMENT OF HEALTH 3: HUMAN SERVICES OFFICE OF THE SECRETARY Mam, o?i 4,5, {5 August 8, 2013 {bil?ilbilVilCl Andrea Wilson, RHIA, CIPP, VHA Privacy Implementation Coordinator Information Access and Privacy Office- 10P2C1 Department of Veterans Affairs-Veterans Health Administration 810 Vermont Ave., NW Washington, DC 20420 Re: uis kes Ievelnd VAMica an OCR Transaction Number: 13?156243 Dear Ms. Wilson: On February 15, 2013, the US. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), Region V, received a complaint ?led by the C?mplainant. alleging that Louis Stokes Cleveland VA Medical Center (Louis Stokes VAMC), the covered entity, is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andior the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, alleges that, between August 21 and August 31, 2012, Louis Stokes VAMC employees [and MI impermissibly used protected health information (PHI) when they accessed his electronic medical record without a iegitimate business reason to do so.1 This allegation could reflect a violation of 45 CPR and OCR enforces the Privacy and Security Ruies, and the Breach Noti?cation Rule, and enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and, under certain circumstances, sex and religion. OCR has reviewed the matter raised in the complaint. On June 17, 2013, OCR noti?ed Louis Stokes VAMC of this complaint. On July 16, 2013, Louis Stokes VAMC submitted a written response to OCR, along with supporting documentation. Louis Stokes VAMC subsequently provided additional responses and documentation throughout the course of this investigation. Based on our review of the facts and circumstances of this matter, we have noti?ed Louis Stokes VAMC of this matter on or about January 3, 2013. Page 2 determined that all issues raised in this matter at the time it was ?led have now been resolved by the voluntary compliance actions of Louis Stokes VAMC. The Privacy Rule mandates that a covered entity may not use or disclose PHI, except as permitted or required by the Privacy Rule. 45 C.F.R. The minimum necessary provision of the Privacy Rule also requires the covered entity to limit access to - PHI by identifying the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. 45 C.F.R. The Privacy Rule also requires that a covered entity have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. 45 C.F.R. In response to OCR's investigation, Louis Stokes VAMC confirmed, in writing, that it has taken the following steps toward resolving the issues raised in the complaint: 1. Conducted an internal investi ation into this matter; and 2. Provided verbal counseling to [and 2 Based upon the above information, OCR has determined that no further action is warranted, and therefore, this matter will be ciosed. OCR's determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to reiease this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a cleariy unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Abby Bonjean, Investigator, at {312) 386-5895. Sincerely, Ceieste H. Davis Regional Manager cc: Ms. Shanta Wright, VHA Privacy Specialist 2 Louis Stokes VAMC submitted documentation showing that :retired effective November 2, 2012, prior to notifying the covered entity about this matter.