Health Information Management

Investigation reveals Veterans Administration privacy breaches

HIM-HIPAA Insider, October 21, 2013

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

by Jaclyn Fitzgerald, Associate editor

Veterans Administration (VA) employees or contractors are responsible for 14,215 HIPAA privacy violations at 167 facilities from 2010 to May 31, 2013, according to a recent Pittsburgh Tribune-Review investigation. The violations affected at least 101,018 veterans and 551 VA employees, the newspaper reported.

Reporters analyzed the VA Risk Management and Incident Response Resolution Team reports, which revealed a history of medical record snooping and the loss of sensitive data such as Social Security numbers. Since 2010, criminal investigators came across 11 instances of VA employees stealing veterans’ identities or prescriptions, according to the report.

The newspaper uncovered the following information during its investigation of records from 2010 to May 31, 2013:

  • The VA reported one in every 365 privacy violations to the OIG.
  • Providers violated the privacy of 2,856 veterans by illegally releasing patient information or failing to obtain patient consent for studies.
  • The VA compromised the PHI of 16,183 veterans by failing to encrypt data on electronics that were lost or stolen.
  • VA employees compromised the PHI of 836 veterans and two VA employees when they lost paperwork in restrooms.
  • VA employees compromised the PHI of 1,118 veterans by faxing medical records to the wrong destination.
  • The VA provided prescriptions or paperwork of 5,254 veterans to the wrong person. One in five of these incidents resulted in the disclosure of veterans’ birth dates, complete or partial Social Security numbers, or diagnoses.

Under the HIPAA omnibus rule, HHS can fine covered entities and business associates up to $1.5 million per HIPAA violation. However, no breach related to the VA has resulted in a monetary settlement, according to the Pittsburgh Tribune-Review.

A statement from VA officials said the agency is retraining employees to “achieve a culture change in which all VA employees understand the importance of protecting veteran information as part of their daily routine,” according to the Pittsburgh Tribune-Review.

The VA retrained employees for privacy violations 498 times in 2010, 1,134 times in 2011, and 1,387 times in 2012, Pittsburgh Tribune-Review reported.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular