#5 ?tr s3 DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY Voice - (312) 336-2359 Of?ce for Civil Rights, Region 0% TDD - (312} 3535593 23.3 N. Michigan Ave, Suite 240 team? (FAX) - (312} 333-133? Chicago, IL 60601 August 9, 2013 {bli?liblmicl Andrea Wilson, RHIA, CIPP, CIPPJG VHA Privacy Implementation Coordinator Information Access and Privacy Of?ce- 10P2C1 Department of Veterans Affairs-Veterans Health Administration 810 Vermont Ave., NW Washington, DC 20420 Re: @631? v. Louis Stokes Cleveland VA Medical Center n1 OCR Transaction Number: 13-156734 {bli?iibliilici Dear Ms. Wilson: On March 11, 2013, the U.S. Department of Health and Human Services (HHS), Of?ce for Civii Rights (OCR), Region V, received a compiaint filed by Scott Sheline, the complainant, alleging that Louis Stokes Cleveland VA Medical Center (Louis Stokes VAMC), the covered entity, is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andz?or the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). ?1]qu that. between August 24 and Se tember 30, 2012, Louis Stokes VAMC employees and {13351 impermissiny used {bli?libliilicl protected health information HI) when tiey accessed his electronic medical record without a legitimate business reason to do so} This allegation could re?ect a violation of 45 C.F.R. and OCR enforces the Privacy and Security Rules, and the Breach Noti?cation Rule, and enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, age, and, under certain circumstances, sex and religion. OCR has reviewed the matter raised in the complaint. On June 17, 2013, OCR noti?ed Louis Stokes VAMC of this complaint. On July 16, 2013, Louis Stokes VAMC submitted a written response to OCR, along with supporting documentation. Louis Stokes VAMC subsequently provided additional responses and documentation throughout the course of this investigation. Based on our review of the facts and circumstances of this matter, we have 1 (?Emmi??'30) noti?ed Louis Stokes VAMC of this matter on or about January 8, 2013. Page 2 determined that all issues raised in this matter at the time it was ?led have now been resolved by the voluntary compliance actions of Louis Stokes VAMC. The Privacy Ruie mandates that a covered entity may not use or disclose PHI, except as permitted or required by the Privacy Rule. 45 C.F.R. The minimum necessary provision of the Privacy Rule also requires the covered entity to limit access to PHI by identifying the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. 45 C.F.R. The Privacy Rule also requires that a covered entity have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. 4S C.F.R. In response to investigation, Louis Stokes VAMC con?rmed, in writing, that it has taken the following steps toward resolving the issues raised in the complaint: 1. Conducted an internal investigation into this matter' and 2. Provided verbai counseling to {bmimm'ici and (WWqu Based upon the above information, OCR has determined that no further action is warranted, and therefore, this matter will be closed. OCR's determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Abby Bonjean, Investigator, at (312) 836-5895. Sincerely, as Celeste H. Davis Regional Manager cc: Ms. Shonta Wright, Vl-iA Privacy Specialist