Case: 24-1305 Document: 21 Page: 1 Filed: 06/04/2024

NOTE: This disposition is nonprecedential.

United States Court of Appeals for the Federal Circuit ______________________

ALFONSO G. RAMIREZ, Petitioner

v.

DEPARTMENT OF VETERANS AFFAIRS, Respondent ______________________

2024-1305 ______________________

Petition for review of the Merit Systems Protection Board in No. DE-0752-14-0482-I-1. ______________________

Decided: June 4, 2024 ______________________

ALFONSO G. RAMIREZ, Tucson, AZ, pro se.

STEPHEN J. SMITH, Commercial Litigation Branch, Civil Division, United States Department of Justice, Wash- ington, DC, for respondent. Also represented by REGINALD THOMAS BLADES, JR., BRIAN M. BOYNTON, PATRICIA M. MCCARTHY. ______________________

Before LOURIE, BRYSON, and REYNA, Circuit Judges. Case: 24-1305 Document: 21 Page: 2 Filed: 06/04/2024

2 RAMIREZ v. DVA

PER CURIAM. Alfonso G. Ramirez appeals pro se a final order of the Merit Systems Protection Board denying his petition for re- view of the administrative judge’s initial decision. We af- firm. BACKGROUND Mr. Ramirez was employed as a Program Support As- sistant at the Southern Arizona Veterans Administration Health Care System. SAppx2. 1 On three separate occa- sions during his employment, Mr. Ramirez sent documents to the U.S. Department of Veterans Affairs’ (“VA”) Office of Resolution Management (“ORM”) that contained sensitive patient information such as patient names, addresses, full or partial social security numbers, and medical diagnoses. SAppx2–3. After Mr. Ramirez sent the first set of docu- ments to ORM, ORM sent Mr. Ramirez a letter informing him that his submission may be a privacy violation and in- structing him to not mention any veteran’s sensitive pa- tient information in future submissions. SAppx24. ORM also forwarded the first set of documents to Mr. Ramirez’s employer and instructed it to send the documents to its pri- vacy officer for “appropriate action.” Id. Before Mr. Ramirez received ORM’s letter, he sent documents contain- ing sensitive patient information to ORM a second time. Id. Then, after Mr. Ramirez received ORM’s letter, Mr. Ramirez sent documents containing sensitive patient infor- mation to ORM a third time. Id. ORM again notified both Mr. Ramirez and his employer that each submission was a potential privacy violation. SAppx24–25. A privacy officer met with Mr. Ramirez shortly after the third submission and confirmed that Mr. Ramirez had released sensitive patient information to ORM on three

1 “SAppx” refers to the appendix accompanying the government’s responsive brief. Case: 24-1305 Document: 21 Page: 3 Filed: 06/04/2024

RAMIREZ v. DVA 3

separate occasions. SAppx26. Separately, the VA Network Security Operations Center conducted a risk assessment (“Risk Assessment”) of Mr. Ramirez’s disclosures to deter- mine whether the VA was required under Subpart D of the Health Insurance Portability and Accountability Act, Pub. L. 104-191, 110 Stat. 1936 (1996) (“HIPAA”) to provide no- tice to affected veterans. SAppx5. The Risk Assessment concluded that Mr. Ramirez’s disclosures did not amount to a data breach requiring notice to affected veterans. Id. The VA then issued to Mr. Ramirez a notice of proposed removal based on two charges: that Mr. Ramirez violated HIPAA Subpart E and that he violated the Privacy Act, 5 U.S.C. § 552a. SAppx22. Mr. Ramirez responded to the VA’s proposed notice of removal. Id. The VA’s deciding official sustained both charges and imposed a penalty re- moving Mr. Ramirez from federal service. Id. Mr. Ramirez appealed the VA’s decision to remove him to the Merit Systems Protection Board (“Board”), and an administrative judge affirmed the removal. Ramirez v. Dep’t of Veterans Affs., 2016 WL 4417576 (M.S.P.B. Aug. 19, 2016) (SAppx21–51) (“Initial Decision”). 2 Mr. Ramirez filed a petition for review of the administrative judge’s ini- tial decision by the full Board. SAppx1. The Board denied the petition, modified the initial decision in part, and oth- erwise affirmed. Ramirez v. Dep’t of Veterans Affs., 2023 WL 8543051 (M.S.P.B. Dec. 8, 2023) (SAppx1–20) (“Final Order”). Mr. Ramirez appeals. We have jurisdiction under 28 U.S.C. § 1295(a)(9). STANDARD OF REVIEW Our review of Board decisions is limited. 5 U.S.C. § 7703(c). We set aside a Board decision only when it is “(1)

2 The electronic version of the Initial Decision at 2016 WL 4417576 does not have page designations. There- fore, we cite to the Initial Decision found at SAppx21–51. Case: 24-1305 Document: 21 Page: 4 Filed: 06/04/2024

4 RAMIREZ v. DVA

arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law; (2) obtained without proce- dures required by law, rule, or regulation having been fol- lowed; or (3) unsupported by substantial evidence.” Id. We review the Board’s legal determinations de novo and its fac- tual findings for substantial evidence. Bryant v. Dep’t of Veterans Affs., 26 F.4th 1344, 1346 (Fed. Cir. 2022). DISCUSSION Mr. Ramirez’s arguments on appeal boil down to his contention that the Board erred in affirming his removal when it ignored the Risk Assessment’s finding that his dis- closure of sensitive patient information did not amount to a data breach under HIPAA Subpart D. Appellant Infor- mal Br. 1–2. According to Mr. Ramirez, he should not have been removed because he did not cause a data breach. Id. We are not persuaded. When an employee challenges an adverse employment action, such as termination of employment, the agency must prove by a preponderance of the evidence that it had a “rational basis” for the adverse employment action. Mitchum v. Tenn. Valley Auth., 756 F.2d 82, 84–85 (Fed. Cir. 1985). Among other things, the agency must show that the employee engaged in “charged conduct.” Pope v. U.S. Postal Serv., 114 F.3d 1144, 1147 (Fed. Cir. 1997). Here, the VA charged Mr. Ramirez with a violation of HIPAA Subpart E. Subpart E prohibits the use or disclosure of protected health information by “covered entities,” 3 such as Mr. Ramirez’s former employer. 45 C.F.R. § 164.502(a). The Board affirmed the VA’s finding that Mr. Ramirez

3 The definition of “covered entities” is found at 45 C.F.R. § 160.103 and includes VA hospitals such as Mr. Ramirez’s former employer. See Final Order, 2023 WL 8543051, at *2 n.4. Mr. Ramirez does not challenge on ap- peal that his former employer is a covered entity. Case: 24-1305 Document: 21 Page: 5 Filed: 06/04/2024

RAMIREZ v. DVA 5

violated Subpart E. Mr. Ramirez provides no basis as to why the Board’s determination was legally erroneous, ar- bitrary, capricious, or unsupported by substantial evi- dence. We see no error with the Board’s determination. The record shows that Mr. Ramirez violated Subpart E, a find- ing that Mr. Ramirez does not challenge on appeal. In- stead, Mr. Ramirez’s argument only relates to Subpart D. As for Subpart D, the Board rejected Mr. Ramirez’s argu- ment as immaterial because the VA removed Mr. Ramirez for violating HIPAA Subpart E, not D. Final Order, 2023 WL 8543051, at *3. While Subpart E prohibits the disclo- sure of protected health information, Subpart D asks the additional question of whether a disclosure of protected health information amounts to a data breach, thereby re- quiring notice to affected individuals. 45 C.F.R. §§ 164.402, 404. Thus, whether Mr. Ramirez violated Sub- part D is irrelevant to the Board’s determination at issue. Assuming Mr. Ramirez did not violate any portion of HIPAA, his appeal still falls short. The Board affirmed the VA’s removal of Mr. Ramirez based on two separate charges—violating HIPAA Subpart E and violating the Pri- vacy Act. Final Order, 2023 WL 8543051, at *1–4. The Privacy Act prohibits agency disclosure of any record con- tained in a system of records without prior written consent of the individual to whom the record pertains, subject to several exceptions. 5 U.S.C. § 552a(b). Mr. Ramirez’s ar- gument on appeal regarding the Risk Assessment has no bearing on his violation of the Privacy Act. Mr. Ramirez provides no basis as to why the Board’s Privacy Act deter- mination was erroneous or why the penalty of removal would be unreasonable based on a violation of the Privacy Act alone. We find that the Board’s Privacy Act determi- nation was not legally erroneous and that the Board’s fac- tual findings are supported by substantial evidence. Case: 24-1305 Document: 21 Page: 6 Filed: 06/04/2024

6 RAMIREZ v. DVA

CONCLUSION We have considered Mr. Ramirez’s remaining argu- ments and find them unpersuasive. For the reasons stated, we affirm the Board’s denial of Mr. Ramirez’s petition for review. AFFIRMED COSTS No costs.