3m? w?mm? QHEPARTMENT OF a: HUM OFFICE OF THE SECRETARY Voice - (214) rat-toss, taco) 3684 me TDD - (214) rat-seen Of?ce for Civil Rights, Region VI (FAX) . (214) tar-om masculinem - 1301 Young Street, Suite 1169 Dallas, TX 75202 May 13, 2013 Ms. Andrea Wilson, RHIA, CIPP, CIPPIG VI-IA Privacy Implementation Coordinator Information Access and Privacy Of?ce Department of Veterans Affairs - Veterans Health Administration 810 Vermont Avenue, NW. Washington, DC 20420 OCR Transaction No: 13-156384 (taxonomic) Wilson: On February 22, 2013, the U. S. Department of Health and Human Sendces (HI-IS), Of?ce for Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health Information and/or the Security Standards for the Protection of Electronic Protected Health information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy Rule and Securi Rules . Speci?cally, the Complainant, alleged that on February 3, 2013. an employee, accessed medical records without a need recognized by the Privac or Security Rule. Further, the complainant alleged that his medical record was accessed twice by . The alleged incident could re?ect violations of 45 C.F.R. concerning uses and disclosures of protected health information (PHI) and 164.530(c) regarding safeguards. OCR enforces the Privacy Rule, Security Rule and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion We have reviewed the matters raised in the complaint. On March 25, noti?ed Ms. Ms. Andrea Wilson, VHA Privacy Implementation Coordinator, Department of Veterans Affairs - Veterans Health Administration of the complaint. On May 3, 2013, OCR received a response to the complainant's allegation from Carol E. Farer, Privacy Implementation Coordinator, on behalf of Department of Veterans Affairs Veterans Health Administration. - Ms. Farer af?rmed the complainant?s allegation that did access medical records. As a result of this incident; the Department of Veterans Affairs - Veterans Health Administration took the following actions: {bli?liblillt?l 1. A response letter was provided to the complainant on March 19, 2013 that included an assurance that appropriate measures were undertaken to prevent future incidents and protected health information; 2. The breach was reported to HHS as a HITECH breach on March 13, 2013; 3. The employee who impermissiny accessed the complainant?s record was givmi a proposed three (3) day suspension and; 4. The facility Privacy Of?cer conducted Privacy Training for the Sterile Processing Unit on the Use and Access to PHI by VHA Employees and the VA Rules of Behavior. The training was conducted on February 27, 2013 at 7:30am, 8:30am, and 3:40pm. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of Department of Veterans Affairs - Veterans Health Administration; therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted bylaw, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have questions regarding this matter, please write us or contact Myra Fain, Investigator, at 214I767-3923 (Voice), 214l767-8940 (TDD) or W01. Please be advised that communication by e?mail presents a risk of disclosure of the transmitted information to, or interception by, unintended third parties. Please keep this in mind when communicating with us by e- mail. When contacting this of?ce, please remember to include the reference number that we have given