6.1mm. DEPARTMENT OF HEALTH 3: HUMAN SERVICES OFFICE OF THE SECRETARY Voice - (214) 757-1055, (300} 333-1019 TDD - (214} 76139-40 - (214) WW ?f?ee for Civil Rights, Region 130'] Young Street, Suite [169 Dallas, Tx 7520c January 2014 (bliEli?liiliCl Ms. Andrea Wilson VHA Privacy Of?ce Manager (10P2C1) Department of Veterans Affairs Veterans Health Administration 810 Vermont Ave, NW. Washington, D.C, 20420 Our Transaction Number: 12- 1 44339 Dear {bit?itbitiltcl and Ms, Wilson: On June 2012, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), received a complaint alleging that Michael E. DeBakey VA Medical Center, the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the complainant, alleges that an employee of the VA Medical Center viewed her medical record for the sole purpose of writing up a disciplinary action against her. The alleged incident could re?ect violations of the provisions at 45 ?164502 impermissible uses or disclosures of protected health information (PHI) and 45 CPR- ?164-53tl concerning safeguards. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. OCR is pleased that The Department of Veterans Affairs (VA), Veterans Health Administration (VHA) has taken the following steps toward coming into compliance with 45 C.F.R. ?164.502 impermissible uses or disclosures and 45 (3.173. ?164.530 concerning safeguards. The VA acknowledged that staff members on occasions access PHI that was not needed to do their jobs. The investigation showed that the complaint made by {bmimmio' was valid and employees mentioned in the complaint were counselled and required to retake the 2014 Privacy and HIPAA training. OCR was provided a copy of the signed and dated certi?cates. In addition, the covered entity has taken further action and revised the Administration Nurse of the Day report by removing the requirement to collect the sensitive employee information. The revised form simply collects date, time, and service line and a description of the event. . . On December 2, 2013, i was sent a letter from the Privacy Of?cer that explains the outcome of the complaint. The VA provided OCR copies of their Policies and Procedures regarding Uses and Disclosures of and Safeguarding PHI. When reviewed by OCR, the Policies and Procedures appear to comply with the Privacy and Security Rules. Please note that, a?er a period on? six months has passed, OCR may initiate and conduct a compliance review of the Michael E. DeBakey Veterans Administration Medical Center related to your compliance with 45 C.F.R, ?164.502 impermissible uses and disclosures and C.F.R. {364.530 concerning safeguards. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Adriane Springs, Investigator, at 214- 76754690 (Voice), 214-767-8940 (TDD). cc: Ms. Kimberly Murphy-DeCoste