The U.S. Department of Veterans Affairs has suffered from a large number of data violations of the Health Insurance Portability and Accountability Act (HIPAA), according to an Oct. 12 Pittsburgh Tribune-Review report.
In its two-month investigation, the Tribune-Review found that VA workers or contractors committed 14,215 privacy violations at 167 facilities from 2010 through May 31, 2013, the Tribune-Review reported.
The violations affected 101,018 veterans and 551 VA employees, according to the report.
Follow encryption standards outlined by the National Institute of Standards and Technology (NIST) even if technical controls already exist. Train staff on HIPAA rules and how to report a breach if one occurs. Assess security risks, every six months or more frequently.
The Veterans Administration has struggled to keep patient data secure.
Incidents included posting photos of patients’ anatomy on social media and using IDs to create fraudulent credit cards. The VA’s Risk Management and Incident Response Resolution Team reported illegal snooping through patient files, and a loss of sensitive data such as Social Security numbers, the Tribune-Review reported.
Calls and emails by CruxialCIO to the VA went unanswered, possibly due to the federal government shutdown or the Columbus Day holiday.
However, agency spokeswoman Genevieve Billia told the Tribune-Review in a written statement that the VA “places the highest priority upon safeguarding the personal information” of veterans and protects records through the use of technology.
The department has strict guidelines that “go beyond what is required by law” and takes data breaches “very seriously,” Billia added.
In 82 cases, health care providers at the VA shared medical information illegally or failed to secure patient consent during studies.
Terminations for privacy violations were rare according to the Tribune-Review report. VA privacy officers recommend the dismissal of 31 workers for the breaches. The personnel included contractors, volunteers, medical students and part-time staffers.
A 2006 laptop theft of a laptop left 26.5 million veterans’ records at risk, and after 2010 a lack of encryption of electronic data put at least 16,183 vets at risk, the newspaper reported.
Despite the violations, the VA has been active in implementing health care technology. The department uses an online personal health record platform called My HealtheVet, which allows patients to access their self-entered health data, lab reports, and immunization records.
“The [Tribune-Review] report is generally correct, but the VA is not much different than many of the VA’s partners, other hospitals, medical practices, etc.,” Shahid Shah, CEO of IT consulting firm Netspective Communications and author of The Healthcare IT Guy blog, told CruxialCIO via email.
Even as the health care industry aims to digitize medical records, a large amount of paper records remaining could contribute to illegal sharing of medical data, Shah noted.
“The most important safeguards right now can primarily be nontechnical because there’s too much paper and broad discretionary authority to view data in non-digital workflows; accountability and tracking is not built into VA’s processes, procedures, and training to the extent like they need to be,” he said. “Everyone wants to do the right thing, but as long as there is so much paper in the process and the workflows require large amounts of data to be seen and processes by so many different people, the illegal release of medical data will remain very easy.”
Brian T. Horowitz is a breaking news reporter with nearly 20 years of experience covering business, technology, health care information systems and innovation. He has written for Computer Shopper, eWEEK, Fast Company, InternetNews.com, NYSE magazine and ScientificAmerican.com. He holds a B.A. from Hofstra University. Follow him on Twitter: @bthorowitz.