Every time you turn around there is another scandal at the Department of Veterans Affairs. They just keep coming one after another. This time it is the revelation that the VA is disclosing confidential patient information that it is supposed to keep private. That is a violation of the Health Insurance Portability and Accountability Act (HIPAA), the federal patient privacy law enacted to protect Americans from having their medical records made public. The incidents at the VA include the disclosure of veterans’ Social Security Numbers, addresses and telephone numbers, as well as their medical history, and prescription medications.
VA medical facilities are not the only hospitals that have been caught disclosing private patient information. However, the Department of Health and Human Services’ Office for Civil Rights, the agency responsible for enforcing HIPPA, has cited the Department of Veterans Affairs for HIPPA violations more frequently than any other health provider in the entire country.
According to the Department of Veterans Affairs, the mission of the VA is to fulfill President Lincoln’s promise “To care for him who shall have borne the battle, and for his widow, and his orphan” by serving and honoring the men and women who are America’s Veterans. It doesn’t seem that the VA is fulfilling that mission.
To care for him who shall have borne the battle and for his widow, and his orphan,”
Lincoln’s Second Inaugural Address
Some of the incidents at VA hospitals were accidental, the result of sloppy work by VA employees. But other incidents were deliberate attempts by VA employees to punish co-workers who had reported some of the terrible conditions at VA hospitals to Congress or the media. The story was published simultaneously by National Public Radio (NPR) and ProPublica, an independent, non-profit news service that produces investigative journalism in the public interest.
Sloppy work by VA employees has led to the private medical data about deceased veterans being sent to the wrong widows. There are many cases where one veteran received medications meant for another veteran, or where one veteran received another veteran’s refill slip at the pharmacy window. In some cases the veteran’s address was changed incorrectly, which resulted in medications being mailed to the wrong address. There are also cases where one veteran received a package from the VA that contained the medication that the veteran used, but the label on the medication bottle contained personal information about another veteran who took the same medicine. Veterans also reported that they had received copies of their confidential medical records in the mail in an unsealed envelope. One VA employee mistakenly mailed documentation that contained a veteran’s personally identifiable information to an outside organization.
But some of the incidents are much more serious. VA employees have snooped on the records of patients who have committed suicide, and whistleblowers within the VA told NPR and ProPublica that their own medical privacy has been violated. The whistleblowers are veterans, who are also VA employees, and they reported that other VA employees had accessed protected health information (PHI) in their veteran medical record without authorization and then disclosed that protected health information to another VA employee without authorization.
And the violations are not confined to one or two VA hospitals. They are happening at VA hospitals across the country. For example, a six-month long investigation by WREG in Memphis found hundreds of privacy violations by employees at the Memphis VA Medical Center. In April of 2014, WREG filed a Freedom of Information (FOIL) request with the Department of Veterans Affairs. They wanted to know how the Memphis VA Medical Center was investigating and resolving privacy complaints. In September 2014, after months of wrangling with the VA, WREG obtained a report about privacy violations at the Memphis VA hospital. The report covered a three-year period and documented more than 200 complaints, reports, and investigations into privacy breaches at the Memphis VA Medical Center.
There are similar stories at other VA hospitals. In the two year period 2013 – 2015, there were 21 reported violations of patient privacy at the Canandaigua VA Medical Center, near Rochester, New York, including incidents at the VA Outpatient Clinic on Westfall Road in Rochester.