fem?. slim?: DEPARTMENT OF HEALTH 5; HUMAN SERVICES OFFICE OF THE SECRETARY Voice - (214) rev-4on3, {soc} 363-1019 TDD tar-3940 Of?ce for Eivil Rights, Region VI FA): - (214) tar-cor Wm ram Young Street, Suite use carat, TX 152m JUN 2 2013 {Dit?libli'r'licl Ms. Andrea Wilson, RHIA, CIPP, VHA Privacy hnplementation Coordinator Information Access 8: Privacy Of?ce-10P2Cl Dept ofVeteran's AHaimVeterans Health Admin 810 Vermont Avenue, NW Washington, DC 20420 OCR Transaction Number: 12444294 Dear and Ms. Wilson: On June 7, 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Farm 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, alleged that multiple coworkers at Alexandria VA Health Care System, covered entity, viewed her medical record without a need to know. also alle she was harassed by a coworker that allegedly accessed her record. alleged that imitates} Istarted harassing her after she was interviewed for accessing medical record. {blisllt'llillcl leged she reported this felt this harassment was a result of her exercising her privacy rights by complaining to the covered entity. These allegations could re?ect a violation of 45 CPR. 164.502 pertaining to uses and disclosures of protected health information and 45 C.F.R. 164.530 (3) pertaining to administrative requirements: refraining from intimidating/retaliatory acts. OCR enforces the Privacy and Security Rules, and aiso enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. OCR commenced an investigation into the allegations. The covered entity responded to OCR with details and documentation of its internal investigation. The covered entity acknowledged that there were impermissible accesses to the complainant?s health record over a period of years. Discovery of this information was provided to the VA Network and Security Operations Center as well as OCR as a HITECH breach. The covered entity provided OCR with documentation that it provided the complainant with credit monitoring protection for one year as a result of the incident. Aside ?-om the credit monitoring provided to the complainant, further mitigation e??orts included retraining of employees involved as well as one-on?one retraining for certain employees. The covered entity provided OCR with an explanation on why it chose to approach its sanctioning practice in the particular manner it did when conducting its investigation. Lastly, the covered entity explained that at the time of its investigation, it addressed the complainant?s concern of harassment with I It provided OCR with information on how the incident was addressed. OCR has reviewed the covered entityis actions taken in response to the complaint allegations including the covered entity?s investigation; policies and procedures pertaining to the uses and disclostIres of protected health information and its complaint process; credit monitoring to the complainant; training; and sanctioning of workforce member(s) who failed to comply with company policies. OCR is satis?ed with the covered entity?s mitigation efforts of the incident, as complained of by Therefore, OCR concludes that the matters raised by this complaint at the time it was filed have now been resolved through the voluntary compliance actions of the covered entity. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations inthis complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. in the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Ms. Valerie Garrett, Investigator, at (214) (Voice), (214) 761-8940 (TDD). Sincerely, Jorge A. 5: Regional ger