VA Privacy Violations On the Increase

The Department of Veteran Affairs has come under fire for the number of privacy violations caused by its employees since. Figures compiled by ProPublica show that over 10,000 privacy violations have been committed by VA staff since 2011. In spite of these data breaches, the VA has escaped public criticism and fines from Office for Civil Rights.

Between 2011 and 2015, more than 300 complaints were submitted to OCR regarding violation of veterans’ privacy. Out of those complaints 220 resulted in action being taken; either the provision of technical assistance or the issuing of a corrective action plan (CAP).

Annual VA Privacy Violations Almost Double 2011 Figures

Complaints filed against the VA have increased significantly over the past five years. In 2011, 1,547 complaints were filed. By 2015, the annual total had reached 3,054. Even though increasing numbers of VA privacy violations have been reported by veterans and members of VA staff, no OCR financial penalties have been issued.

The vast majority of reported VA privacy violations were the result of simple mistakes made by members of the VA staff. Each month the VA submits a report of privacy incidents to congress which details numerous VA privacy violations. These are typically lost PIV cards, mis-mailings, and mishandling incidents.

Patients are accidentally sent letters intended for other veterans, or their PHI is otherwise exposed. In most cases these incidents only affect one or two veterans; however, some serious privacy incidents have been reported that have affected numerous veterans, or have caused individuals to come to harm.

According to the recently created HIPAA Helper database, the Sunshine Healthcare Network has suffered the most privacy incidents with 370 reported since 2011. The Bay Pines Medical Center suffered the most, accounting for 112 of the network’s privacy incidents.

It should be noted that the VA runs the largest healthcare system in the country. Each year more than 9 million patients receive medical services through the VAs 150 hospitals and many medical centers. Some privacy violations are therefore to be expected, although there is concern about the number of violations that are occurring.

The VA has also come under criticism in recent months after allegations emerged of veterans’ medical records being inappropriately accessed by VA employees. While this is not uncommon in the healthcare industry, allegations have been made by whistleblowers that their files have been accessed by numerous employees looking to discredit them.

One whistleblower, Brandon Coleman, has said on record that the accessing of co-workers medical records “is widespread throughout the VA.” The inappropriate accessing of medical records of whistleblowers has caused concern. Senate Committee on Veterans’ Affairs Senator, Richard Blumenthal, has proposed new legislation to tackle the issue. His proposed VA Patient Protection Act aims to tackle the issue and to better protect veterans who uncover wrongdoing and wish to speak up. The VA Patient Protection Act is intended to hold supervisors accountable for inappropriate accessing of medical records and better protect whistleblowers who step forward and testify.

Cases of inappropriate accessing of medical files are investigated by the VA and action is taken against the individuals concerned. According to a statement provided to ProPublica, “Complaints that VA receives from whistleblowers about inappropriate access to their health records are thoroughly investigated and appropriate actions are taken where warranted.”

While reports of VA privacy violations appear to be increasing, some members of the VA have said the increase is due to employees being encouraged to speak up and report issues when they are discovered.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news