swims, DEPARTMENT OF HEALTH Sc HIM SERVICES OFFICE OF THE SECRETARY - vein: - (214} var-+056. (soc) ass-1019 TDD - rev-3940 Of?ce forCivil Rights, Regian FAX - (214) ?67-0432 WW 1304 Young Sheet, Suite Dallas,TK?5102 26 2013 {blielxibltilicl Ms. Andrea Wilson, RHIA, CIPP, CIPPIG VHA Privacy Implementation Coordinator Information Access and Privacy Ofc-l UPZCI Department of Veterans Affairs-Veteran Health Admin. 810 Vermont Avenue NW Washington, no. 20420 Our Transaction Number: 12-145003 Re: Alexandria VA Health Care System, 2495 Shreveport Hwy ?71 North, Pineville, LA Dear {bli?iibmm and Ms. Wilson: The US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) has completed its investigation of the above-entitled complaint ?led bylii?ii?ii {mime} Iagainst Alexandria Veterans Affairs Health Care Center (?Alexandria OCR is responsible for determining the compliance status of covered entities with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Suhparts A, C, and E, the Privacy and Security Rules). The complaint, received by OCR on June 22, 2012, alleges that two workforce accessed the protected health mfonnation [Pl-ll) oflibli?libi'?icl Ialleges that the reason for access is not a valid reason recognized by the Privacy or Security Rule. Under the Privacy Rule, a wmvered entity must make reasonable efforts to limit the access of its workforce members to that which is minimally necessary to perform the stated job duties. 45 C.F.R. Failure to implement these reasonable efforts may lead to an impermissible use of PHI. 45 CPR. 164.502. OCR has reviewed all of the evidence presented in reference to the issue addressed in the complaint. This letter explains determination. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights iaws that prohibit discrimination in the delivery of health and human services because of race, color, national o?ghi, disability, age, and, under certain circumstances, sea and religion. On October 31, 2012, OCR noti?ed Alexandria VA of the complaint. Alexandria VA admits that on numerous occasions the workforce members pre?ously mentioned accessed PHI. Because ofthis incident Alexandria va- 1. histrucied (anatomic: cease and desist with accessing le; 2. Provided retraining t0 {miei?m??i?il and (blt?ltbiti?ltci 3. Entered this incident into the Veteran Affairs Network Security Operations Center event ticket application; 4. Removed laecess to the Empioyee Health records, and' 5. Provided with credit monitoring. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of Alexandria therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public- In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any question regarding this matter, please contact Vaniecy Nwigwe, Senior Investigator, at 214-767-4054 (Voice), 214-767-3940 (TDD). Sincerely, Jorge . 0 Regional ger Region VI