s) oo? 134* Mme DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY Of?ce for Civil Rights, Region VI 1301 Young Street, Suite 1169 Dallas, TX 75202 Vdoe - {214} T674056, [300) 363-1019 TDD {214) VIEW-3940 - (214} 767-0432 '1th as 2013 (W5) Jibltl'IItC-l Ms. Andrea Wilson, CIPP, CIPPJG VHA Privacy Implementation Coordinator Information Access and Privacy Of?ce 10P2C1 Department of Veterans Affairs Veterans Health Administration 810 Vermont Avenue, N. W. Washington, DC 20420 Miami?) . Jack C. Montgomery VAMC OCR Transaction Number: 13 -I 52126 Re: {bit?lil?lillm and Ms Wilson' Dear On November 28. 2012, the Office for Civil Rights (OCR) received a complaint alleging Jack C. Montgomery VAMC is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information 45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Seci?cally, alleged that on or about September 20-21, 2012, va emlo ee impermissibly accessed her medical record. alleged that ?ssion?) was a tonne: boyfriend with no work related reason to access her record. The allegation indicated potential violations of 45 C.F.R. 164.502{a) and OCR enforces the Privacy and Security Rules and also enforces federal civil rights laws which prohibit discrimination in the delivery of health and human services because of rose, color, national origin, disability and age. As explained at 45 C.F.R. a covered entity may not use or disclose the protected health information of an individual, for purposes outside of treatment, payment or healthcare operations, without the individual?s authorization. 45 CPR. ?164.530(c) requires a covered entity to reasonany safeguard protected health information from any intentional or unintentional use or disclosure in violation of the standards. OCR reviewed the matters raised in the complaint and noti?ed the Department of Veterans Affairs of our investigation into the allegations on June 3, 2013. In a response to OCR dated Jul}:r 3, 2013, the '13-152126 Department of Veterans Affairs Veterans Health Administration explained that it had received a comlaint from on October 31, 2012. The internal investigation con?rmed that had accessed medical record outside the scope of his job duties- As a result of this complaint, the VHA took the corrective action of counseling and of providing additional HIPAA training to The VHA also provided OCR with a copy of its privacy policy and a copy of the breach noti?cation letter provided to on June 26, 2013. OCR provides technical assistance to the VHA that a breach noti?cation letter to an affected individual: I) must be provided in written format, 2) must be provided without unreasonable delay and in no case later than 60 days after discovery of a breach and 3) should include a brief description of what the covered entity is doing to mitigate harm to an individual and to protect against future breaches. See 45 C.F.R. ?164.404. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of the Department of Veterans Affairs Veterans Health Administration; therefore, OCR is closing this matter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, it may be necessary for OCR to release this document and related correspondence and records upon request. In the event that OCR receives such a request, we will seek to protect, to the extent provided by law, personal information which, if released. would constitute an unwarranted invasion of privacy. If you have any questions, contact Jamie Sorley, Investigator, at (214) 767-8908 (Voice), (214) 767- 8940 (TDD).