a" is
3 .
ogmnrarssr or .5: HUMAN 
Voice - [214) 757-4055.  363-1019 TDD - [214} 



 

OFFICE OF THE SECRETARY

Office for Civil Rights, Region VI
1301 Young Street, Suite 1169
Dallas, TX 75202

[214) 

January 8, 2014

 

{bli?libliflicl

 

 

 

Our Transaction Number: 

 

be are
Demililililil

 

 

 

On November 26, 2012, the US. Department of Health and Human Services (HHS), Of?ce
for Civil Rights (OCR), Region VI, received your complaint alleging that The Department of
Veterans Affairs (VA), VA Medical Center (VAMC) in Tuscaloosa, AL, the covered entity,
has violated the Federal Standards for Privacy of Individually Identi?able Health lnfonnation
andfor the Security Standards for the Protection of Electronic Protected Health Information
(45 C.F.R. Parts 160 and 164, Subparts A and the Pivacy and Security Rules).
Speci?cally, you allege that a matte, disclosed your protected health
information (Pl-ll) in front of six people that were in the hallway while you were at the
VAMC for treatment. Under the Privacy Rule, a covered entity may not use or disclose the
of an individual, unless the use or disclosure is permitted or required by the Privacy Rule.
See 45 C.F.R. ?164.502. Further, a covered entity must have in place appropriate safeguards
to protect the PHI of an individual. See 45 C.F.R. 

 

Thank you for bringing this matter to attention. Your complaint is an integral part of
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil
rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain sex
and religion.

We are pleased to inform you that your complaint in this matter has been resolved. As part of
its investigation, OCR has provided VAMC guidance to comply with 45 CPR. ?164.502

concerning uses and disclosures of PHI and 45 C.F.R. 164.530(c) concerning safeguards.
Speci?cally, the verbal disclosure made bywas addressed by the Privacy
Of?cer and an investigation was [undertaken immediately after you ?led the complaint. The
complaint was found to be valid. The issue was addressed at the time of the encounter by the
Coordinator and the nurse apologized to you according to the VAMC in Tuscaloosa, AL. The
nurse provided a statement describing the incident and was required to take additional privacy
training. In addition, the nurse received verbal counseling by her Nurse Manager. According
to the VAMC, you were notified and the incident was reported to the VA Network and
Security Operations Center and classi?ed as a breach and reported to Health and Human
Services per VA policy.

 

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request, we
will make every effort, as permitted by law, to protect infatuation that identi?es individuals or that,
if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Adriane Springs, Investigator, at 214-
767-4690 (Voice), 214?767-8940 (TDD).

 

 

a,


PARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY

3 Voice - (214) rev-aces, taco; sea-1019 TDD - (214} rev-arm

5' (FAX) - (214) RFD-132 migrmh?p?toert Office for Civil Rights, Region VI
man not Young Street, Suite use

Dallas, TX 75202
January 8, 2014

Ms. Andrea Wilson, RHIA, CIPP, CIPPIG
Privacy Implementation Coordinator

VHA Information Access Privacy Of?ce
01 Central Of?ce

Veterans Health Administration

810 Vermont Avenue, NW.

Washington, 110. 20420

Our Transaction Number: 13-1 53664
Dear Ms. Wilson:

On November 26, 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region IV, received a complaint alleging that the VA Medical Center (V AMC) in
Tuscaloosa. AL, the covered entity, has violated the Federal Standards for Privacy of Individually
Identi?able Health Information andlor the Security Standards for the Protection of Electronic
Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and
Security Rules). Speci?cally, the complainant, lalleged that a nurse, {Helibliil
disclosed her protected health information (PHI) in from of six people that were in the
hallway while she was at the VAMC for treatment. Under the Privacy Rule, a covered entity may
not use or disclose the PHI of an individual, unless the use or disclosrue is pennitted or required by
the Privacy Rule. See 45 CPR. (5164-502- Further, a covered entity must have in place appropriate
safeguards to protect the PHI of an individual. Sec 45 C.F.R. 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

OCR is pleased that VAMC Tuscaloosa, AL has taken the following steps toward coming into
compliance with 45 C.F.R. ?164502 impermissible uses and disclosures and 45 CPR. {3164.530 
concerning safeguards. internal investigation showed that PHI was disclosed by the nurse
and that the complainant had spoken to the Privacy O?icer. The nurse acknowledged that she made
a verbal disclosure in front of others. According to VAMC, the nurse received verbal counseling by
the Nurse Manager and was also provided additional privacy training. The complainant was sent a
noti?cation letter November 4, 2012. The letter informed the complainant that appropriate measures
were taken and she was offered an apology. VAMC provided OCR copies of the letters sent to the
complainant and various documents from the investigation.

Please note that, after a period of six months has passed, OCR may initiate and conduct a
compliance review of VAMC, Tuscaloosa, AL related to your compliance with 45 CPR. ?164.502
impermissible disclosures and CPR. ?64.530 conceming safeguards.

Based on the foregoing, OCR is closing this case without further action, e??ective the date of
this letter.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as pennitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Adriane Springs, Investigator,
at 214-767-4690 (Voice), 214-767-8940 (TDD).

Sincerely,

orge A. Lo
Regional