Veteran's Administration (VA) employees or contractors are responsible for 14,215 HIPAA privacy violations at 167 facilities from 2010 to May 31, 2013.The violations affected at least 101,018 veterans and 551 VA employees.
Reporters analyzed the VA Risk Management and Incident Response Resolution Team reports, which revealed a history of medical record snooping and the loss of sensitive data such as Social Security numbers. Since 2010, criminal investigators came across 11 instances of VA employees stealing veterans' identities or prescriptions, according to the report.
The investigators uncovered the following information during its investigation of records from 2010 to May 31, 2013:
- The VA reported one in every 365 privacy violations to the OIG.
- Providers violated the privacy of 2,856 veterans by illegally releasing patient information or failing to obtain patient consent for studies.
- The VA compromised the PHI of 16,183 veterans by failing to encrypt data on electronics that were lost or stolen.
- VA employees compromised the PHI of 836 veterans and two VA employees when they lost paperwork in restrooms.
- VA employees compromised the PHI of 1,118 veterans by faxing medical records to the wrong destination.
- The VA provided prescriptions or paperwork of 5,254 veterans to the wrong person. One in five of these incidents resulted in the disclosure of veterans' birth dates, complete or partial Social Security numbers, or diagnoses.
Under the HIPAA omnibus rule, HHS can fine covered entities and business associates up to $1.5 million per HIPAA violation. However, no breach related to the VA has resulted in a monetary settlement.
A statement from VA officials said the agency is retraining employees to "achieve a culture change in which all VA employees understand the importance of protecting veteran information as part of their daily routine."