a? awn-m. 2. DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY Voice- (214)761-4056, (soc) res-tors TDD - (214) tor-awn Office for Civil Rights, Region VI FAX arm . ram You-g sin-u, Suite use Dallas, TX 1521:: February 3, 2014 OCR Transaction Number: 12-139109 Dam On February 15, 2012, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights received your complaint alleging that Southeast Louisiana Veterans Health Care System, the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information andr'or the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, you alleged that, on various dates in 201 1, workforce members of Southeast Louisiana Veterans Health Care System, the covered entity, accessed your protected health This allegation could re?ect a violation of 45 CPR. 164.502ia) and Thank you for bringing this matter to attention. Your complaint is an integral part of enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. We are pleased to inform you that your complaint in this matter has been resolved. As part of its investigation, OCR has provided Southeast Louisiana Veterans Health Care System with guidance to comply with 45 C.F.R. 164.502(a) and Speci?cally, Southeast Louisiana Veterans Health Care System sanctioned the workforce members who were involved as well as provided you with credit monitoring services to help alleviate any potential negative impact from the alleged violation and sanctioned workforce members. For your informational purposes, OCR has enclosed material regarding the Privacy Rule provisions related to 45 C.F.R. 164.502(a) and Based on the foregoing, OCR is closing this case without further action, e?ec?ve the date of this letter. Under the Freedom of Information Act, we may he required to release this letter and other information about this case upon request by the public. in the event OCR receives such areqnest, we will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Ms. Valerie Garrett, Investigator, (IE-mail) or (214) 767-8940 (TDD). Sincerely, Regional ger Enclosure: Safeguards Reasonable Safeguards 45 C.F.R. 164.530 A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. See 45 C.F.R. ?164.530 It is not expected that a covered entity?s safeguards guarantee the privacy of protected health information ?om any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients? privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the ?nancial and administrative burden of implementing particular safeguards. Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals? health information for instance: - By speaking quietly when discussing a patient?s condition with family members in a waiting room or other public area; 0 By avoiding using patients? names in public hallways and elevators, and posting signs to remind employees to protect patient con?dentiality; I By isolating or locking ?le cabinets or records rooms; or By providing additional security, such as passwords, on computers maintaining personal information. Protection of patient con?dentiality is an important practice for many health care and health information management professionals; covered entities can build upon those codes of conduct to develop the reasonable safeguards required by the Privacy Rule. or awe. 2 OFFICE OF THE SECRETARY Office [or Civ? Rights, Region VI 1301 Young Street, Suite 1169 Ball?. TX 75m DEPARTMENT OF HEALTH 8; HUMAN SERVICES Voice - (214) tor-4056, (soc) 9 Too - (214) 767-8940 omit . Fcbmary 3, 2014 Ms. Andrea Wilson, CIPP, VHA Privacy Implementation Coordinator Information Access cit Privacy Oi?ce- Department of Veterans Affairs- Veterans Health Administration 810 Vermont Avenue, NW Washington, DC 20420 OCR Transaction Number: 12-139109 Dear Ms. Wilson: On February 15, 2012, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), received a complaint alleging that Southeast Louisiana Veterans Health Care System, the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, alleged that, on various dates in 201 l, workforce members of Southeast Louisiana Veterans Health Care System, the covered entity, impermissihlyr accessed her protected health information. This allegation could re?ect a violation of 45 C.F.R. 164.502(a) and OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. OCR is pleased that the covered entity has taken the following steps toward coming into compliance with 45 CPR. 164.502[a} and 164.53 per the information received from the complainant: l. Sanctioning of the workforce members who were involved; 2. Providing the complainant with credit monitoring services to help alleviate any potential negative impact from the alleged violation. OCR has determined that the following corrective actions are needed to bring the covered entity into compliance with 45 CPR. 164.5306) and . Review of current policies and procedures pertaining to the safeguarding of protected health infomation to ensure effectiveness. 2. Training implementation of those policies and procedures mentioned above with appropriate workforce members. Please note that, after a period of six months has passed, OCR may initiate and conduct a compliance review of the covered entity related to your compliance with 45 C.F.R. 164.5306) and Based on the foregoing, OCR is closing this case without ?nther action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Valerie Garrett, Investigator, (E-mail) or (214) 767-8940 (TDD). Sincerely, orge A. Lo Regional