f?m?k DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY Ev Voice - (312} 333-2359 Of?ce for Civil Rights, Region 5 TDD - (312) 353-5693 233 N. Michigan Ave, Suite 240 ?it (FAX) - (312) 336-1337 Chicago, IL 60601 April 22, 2014 Andrea Wilson, RHIA, MAM, Privacy Implementation Coordinator VHA Information Access Privacy Of?ce Department of Veterans Affairs Veterans Health Administration 310 Vermont Ave, NW Washington, DC 20420 Re: v. Edward Hines Jr. VA Hosital OCR Transaction Number: 13- 1613 9'7 De {bll?liblli?llci Ms. Wilson: On September 9, 2013, the U.S. Department of Health and Human Services (HI-IS), Of?ce for Civil Rights (OCR), Region V, received a complaint ?led by the complainant, and alleging that Edward Hines, Jr. VA Hospital (Hines), the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, alleges that various co?workers have accessed his protected health information (PHI) without a business reason to do so. provided OCR with a list of the co-workers? names he believes impermissiny accessed his PHI. This allegation could re?ect a violation of 45 C.F.R. OCR enforces the Privacy and Security Rules, and the Breach Noti?cation Rule. OCR also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. OCR has reviewed the matter raised in the complaint. On November 19, 2013, OCR noti?ed Hines of this complaint. On February 26, 2014, Hines provided a written response to OCR. Based on our review of the facts and circumstances of this matter, we have determined that all of the issues raised in this matter at the time it was ?led have now been resolved by the voluntary compliance actions of Hines. Page 2 Hines acknowledged that some of the staff impermissibiy accessed health records. Hines reported that some staff had accessed the health record at {bilellbimlcl request. Speci?cally, had requested staff ?nd out his next appointment dates and times. Hines also reported that some staff legitimately accessed the records for purposes of scarming and coding. Some staff indicated that they had accessed the record in error because FEMBDM is a common name. Finally, other staff members did not recall the reason why they accessed.le record. To resolve the issues raised in this matter, Hines took the following voluntary actions: 1) conducted an investigation; 2) counselled the staff who could not substantiate a business reason to access health record and had them retake the 2014 Privacy and HIPAA training: 3) made procedural changes that require staff to direct questions regarding appointments to the appropriate clinic clerk or other staff whose job responsibilities include scheduling; and 4) discussed impermissible access at the facility?s Town Hall meeting on February 12, 2014. Hines also submitted to OCR copies of its Privacy Policies and Procedures pertaining to its uses and disclosures of PHI and sanctions. OCR found that these policies and procedures generally comport with the requirements of the Privacy Rule. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Alyce Hilden, Investigator, at (312) or (312) 353-5693 (TDD). Sincerely, Celeste H. Davis Regional Manager