a?




DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY



is 4214} tor-eer

5 - {214) Of?ce for Civil Rights, Region VI
1301 Young Street, Suite 1169
Dallas, TX 752.2

November 7, 2013

{Didi} {b19103}!

 

 

 

 

Our Transaction Number: 12-143 300

 

{Dii?iibi?i
Deaf to:

 

 

 

On May 29, 2012, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), received a complaint alleging that the Veterans Administration Medical
Center (VAMC) in New Orleans, LA, the covered entity, has violated the Federal Standards
for Privacy of Individually Identi?able Health Information andfor the Security Standards for
the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164,
Subparts A, C, and E, the Privacy and Security Rules}. Speci?cally, you alleged that after
obtaining your sensitive access report, you noticed that there were several inquiries into your
medical record that were not authorized by you. In addition, you alleged that these individuals
that accessed your record were not involved in your health care and you believed that the
individuals that accessed your record used the information to discredit you in an EEOC
complaint. The alleged incidents could re?ect violations of the provisions at 45 GER.
?164.502 impermissible uses and disclosures and 45 CPR. ?lo4.530 concerning
safeguards and 45 CPR. ?164.503 authorizations for uses and disclosures.

Thank you for bringing this matter to attention. Your complaint is an integral part of
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil
rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

We are pleased to inform you that your comptaint in this matter has been resolved. As part of
its investigation, OCR is pleased that VAMC in New Orleans, LA. has taken the following
steps toward coming into compliance with 45 C.F.R. ?l64.502 impermissible uses and
disclosures and 45 C.F.R. ?164.530 concerning safeguards and 45 CPR. ?164.508
authorizations for uses and disclosures. VAMC acknowledged that their investigation showed
that four VAMC employee?s names were given to VAMC after interviewing you. It was
detenniaed that two physician?s access of your record was for health care operations. One
physician?s access was claimed to have been for re?lling or checking the status of
prescriptions, but you denied the physician?s statement. One employee?s access was found to
be impermissible, but without malicious intent. The employee who impermissiny accessed
the complainant?s record has received a written counseling. In addition, a letter of apology
was sent to you that included ?ndings of their investigation. VAMC provided OCR

 

a copy of the letter of apology to you. Various documents of the investigation were also
provided to OCR. OCR was informed that VAMC of New Orleans, LA, has changed the
Employee Assistance Program to require that an authorization be obtained before any access
to the Veteran health record.

Based on the foregoing, OCR is closing this case without further action, effective the date of
this letter.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identifies
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Adriane Springs, Investigator,
at 214-767-4690 (Voice), 214-767-8940 (TDD).

 

 

MW

 

015 ?um? 4

MARRIENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY

Voice - {214} (300) 353-1019 TDD - {214) 

(Faai-tz141rsr-otsa WM Of?ce for Civil Rights, Region VI

an,? 1301 Young Street, Suite 1169
Dallas, TX 75202

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG
Privacy Implementation Coordinator

VHA Information Access Privacy Of?ce
01 Central Of?ce

Veterans Health Administration

310 Vermont Avenue, NW.

Washington, DC. 20420

Our Transaction Number: 12-1 43800
Dear Ms. Wilson:

On May 29, 2012, the U.S. Department of Health and Human Services (HI-IS), Of?ce for Civil
Rights (OCR), received a complaint alleging that the Veterans Administration Medical Center
(VAMC) in New Orleans, LA, the covered entity, has violated the Federal Standards for Privacy of
Individually Identi?able Health Information andfor the Security Standards for the Protection of
Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the
Privacy and Security Rules). Speci?cally, the complainant, alleged that after
obtaining her sensitive access report, she noticed that there were several inquiries into her medical
record that were not authorized by her. In addition, the complainant alleged that these individuals
that accessed her record were not involved in her health care and she believes that the individuals
that accessed her record used the information to discredit her in an EEOC complaint. The alleged
incidents could re?ect violations of the provisions at 45 C.F.R. ?164.502 impermissible uses and
disclosures and 45 C.F.R. ?164.530(c) concerning safeguards and 45 CPR. ?164.508 authorizations
for uses and disclosures.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

OCR is pleased that VAMC in New Orleans, LA. has taken the following steps toward coating into
compliance with 45 C.F.R. ?164.502 impermissible uses and disclosures and 45 C.F.R. ?164.530 
concerning safeguards and 45 C.F.R. ?164.508 authorizations for uses and disclosures. VAMC
acknowledged that your investigation showed that four VAMC employee?s names were given to
VAMC after interviewing the complainant. It was determined that two physicians access of the
complainant?s record was for health care operations. One physician?s access was claimed to have
been for re?lling or checking the status of prescriptions, but the complainant denied the physician?s
statement. One employee?s access was bound to be impermissible, but without malicious intent. The
employee who impermissiva accessed the complainant?s record has received a written counseling.
OCR was informed that VAMC of New Orleans, LA, has changed the Employee Assistance
Program to require that an authorization be obtained before any access to the 1it'eteran health record.

 

In addition, a letter of apology was sent to the complainant. VAMC provided OCR copies of the
letter of apology which included the ?ndings of the investigation and various documents from the
investigation.

Please note that, after a period of six months has passed, OCR may initiate and conduct a
compliance review of Compassion Women?s Clinic related to your compliance with 45 CPR.
?164.502 impermissible disclosures and C.F.R. ?64.530 concerning safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request, we
will make every effort, as permitted by law, to protect information that identi?es individuals or that,
if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Adriane Springs, Investigator, at 214-
767-4690 (Voice), 214-767-8940 (TDD).

Sincerely,