DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECBJE TARY . Voice - (214) rot-toss {soc} ass-101s TDD - (214) Tor-3940 Of?ce for Civil Rights, Region VI (FAX) - (214} tor-0432 1301 Young Street, Suite 1169 ?on Dallas, TX 15202 SEP 12 2013 Ms. Andrea Wilson, RHIA, CIPP, CIPPIG VI-IA Privacy Implementation Coordinator Infonnation Access and Privacy Of?ce - Department of Veterans Affairs -- Veterans Health Administration 310 Vermont Avenue, N. W. Washington, DC 20420 Re: {WM-0mm v. Carlsbad Medical Center OCR Transaction Number: 13-153069 Dear @351inin and Ms. Wilson: On December 17, 2012, the Of?ce for Civil Rights (OCR) received a complaint alleging the Department of Veterans Affairs facility in Muskogee, OK is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andr'or the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, Walieges that co- workera'einployees not involved in her August 24, 2012 treatment impermissiny accessed her electronic medical record. Specifically, the complaint alleges multiple persons impermissiny giggle? her record, as documented in a Sensitive Patient Access Report run on December 1 l, 2012: I: I 3i loci-am: I The complaint allegations indicated potential violations of 45 C.F.R. and OCR enforces the Privacy and Security Rules and also enforces federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability and a ge. As explained at 45 C.F.R. a covered entityr may not use or disclose the protected health information of an individual, for purposes outside of treatment, payment or healthcare operations, without the individual?s authorization. 45 C.F.R. ?164.530(c) requires a covered entity to reasonany safeguard protected health information from any intentional or unintentional use or disclosure in violation of the standards. OCR reviewed the matters raised in the complaint and noti?ed the Department of Veterans Affairs of our investigation into the allegations on January 14, 2013. ]n a response to OCR dated March 12, 2013, the VA explained that it had initiated an investigation after receiving a complaint ?omm in December 2012. The VA determined that seven of the named employees had a. . gig!" an - {blieidbl?lici {bilei'ib?mm malignant?) OCR notes that disagreedaceess was related to of?cial duties as worked at the Tulsa facility, not the Muskogee facility at which received treatment. The VA investigated ?trther and determined that as an EKG technician at the Tulsa facility, had received a ?view alert? that a consult had been entered for an EKG and that had viewed the alert to determine whether action needed to be taken by statf at the Tulsa facility. The VA reaf?rmed its position that access of the record was for purposes related to her of?cial job duties. The investigation was unable to verify that three of the named employees had accessed {bli?libliil record for of?cial duty purposes. a patient services assistant, accessed CPRS in March 2012, prior to the August 2012 patient encounter. reported he believed he had accessed the record in error while attempting to access another patient?s record. The VA con?rmed the existence of similarly named patients and noted that at the time of access, no patient treatment record existed and employee health records had been segregated and required a separate access key. However, based on its internal investigation, the VA determined that the accesses made by and {bliEliblillECl were not in compliance with the policv. As a result of this complaint, the VA took the corrective action of sanctioning and (bli?llbl During this investigation, OCR reviewed the HIPAA policies and procedures related to the allegations and documentation that involved workforce members had completed the ruired HIPAA training. OCR also reviewed a copy of the follow-up and apology letters to - March [,2013. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of the Department of Veterans Affairs; therefore, OCR is closing this matter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, it may be necessary for OCR to release this document and related correspondence and records upon request. In the event that OCR receives such a request, we will seek to protect, to the extent provided bylaw, personal information which, if released, would constitute an unwarranted invasion of privacy. If you have any questions, contact Jamie Soriey, Investigator, at (214) 767-3903 (Voice), (214) 767- 8940 (TDD).