The recent theft of millions of veterans’ and military personnel records has drawn attention to security practices at the Department of Veterans Affairs, as federal officials, privacy advocates and service members work to determine the extent of the potential damage and how future incidents can be prevented.
The VA on May 22 announced the theft of a department employee’s laptop, which contained records of about 26.5 million veterans. The records did not include health information but did include names, birthdates, disability ratings and Social Security numbers. The scope of the privacy threat increased this week when the VA announced that information for the records of as many as 2.2 million military personnel, including those on active duty, was among the stolen records.
Reaction
Since the announcement, two class action suits have been filed against the department, and VA Deputy Assistant Secretary Michael McLendon resigned amid allegations that he did not immediately inform top officials about the data theft, which took place three weeks before the May 22 announcement.
Privacy advocates and health care organizations also are taking steps to ensure that similar incidents do not occur and to protect the privacy of personal information. The Health Privacy Project, along with 30 organizations participating in the Consumer Coalition for Health Privacy, on June 1 sent a letter to HHS Secretary Mike Leavitt calling for him to do a compliance review of the VA “with respect to the nature and extent of violations of both the Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information under authority of [HIPAA].”
According to the letter, the Security Standards “generally require a covered entity to ‘[p]rotect against any reasonably anticipated threats or hazards to the security’ of protected health information.”
“Regardless of how the data was stolen, who stole it and for what purpose it was taken, the fact that this individually identifiable health information was removed without authorization from a U.S. government facility is key and alone signals the need for a compliance review,” the letter states.
Paul Feldman, deputy director of the Health Privacy Project, said the stolen records include information for an undisclosed number from veterans with disabilities, including their records the VA disability ratings and medical diagnostic codes. “We believe that the VA would benefit from … [Leavitt] ordering the Office for Civil Rights to undertake a compliance review with respect to the VA’s data security and patient privacy HIPAA requirements and see how they can be more fully compliant,” Feldman said.
HIPAA Factor
In the wake of the VA data theft, there also has been an increased focus on HIPAA. A June 5 Washington Post story noted that HHS has received more than 19,000 complaints about alleged HIPAA violations, but it has not levied any civil fines and has prosecuted only two criminal cases (Stein, Washington Post, 6/5).
Feldman said HIPAA currently is the “health privacy floor,” and about 30 states have some sort of privacy and security statute or regulation offering more protection than HIPAA. “Our position is that HIPAA is an important step in health privacy, and states need to be able to continue to offer more protection as the state sees fit,” Feldman said.
Moving Forward
“I think that how HHS responds is going to matter a lot,” Feldman said. “I think that if HHS decides not to do something fairly public with respect to HIPAA, with respect to the VA, then I think that that may send a very unhelpful signal to the wider world of covered entities.”
If HHS conducts a compliance review, it will send some “powerful signals” that the government will look out for the privacy of citizens’ medical information and let entities know that they need to comply, Feldman said. He added that he would like HHS to make it public if it starts a compliance review, as he thinks people “would be happy to learn, particularly veterans, that the government body entrusted with their medical privacy is taking this seriously and is going to get to the bottom of it.”
More on the Web:
Health Privacy Project
Washington Post article