March 15, 2016

Veterans Administration: Lessons From Data Breaches

When it comes to the Health Information Portability and Accountability Act (HIPAA), the VA has committed 10,000 violations of patient privacy in less than 5 years. That’s more than 2000 per year, and it’s happening throughout the Veterans Administration (VA) health system right now. ProPublica, an independent, non-profit source of investigative journalism has uncovered the 10,000 breaches — by employees and contractors at VA medical centers, clinics, pharmacies and benefit centers — after an analysis of VA data.

Now, to be fair, the VA is the only health system that tracks and publicly publishes these data for Congress — potentially making it seem as if the VA is making more mistakes than other systems. But the fact remains that the VA is the largest integrated healthcare system in the United States, with 150 hospitals and hundreds of clinics that collectively serve around 9 million patients annually, so it provides a large sample size for the kinds of breaches that may be occurring throughout other healthcare systems. Here are 3 important takeaways from the VA data breaches.

1. Most breaches are minor

ProPublica found that most of the privacy breaches are minor and inadvertent, ranging from “sending documents or prescriptions to the wrong people, to employees’ intentional snooping and theft of data. Not all concern medical treatment; some involve data on benefits and compensation.”

However, even minor or inadvertent violation of HIPAA rules could, in theory, incur a fine of $50,000 each. It is therefore critical that you build a culture that values data privacy and reinforces the protocols on a regular basis. Your electronic health records (EHR) system should work for you, not against you: Use of portable digital records can help avert patient mix-ups, and patient records should be accessible only by clinicians and employees with the appropriate authorization. Restrict the work that clinicians and employees can take home with them, and enact policies regarding acceptable communications via their personal social media accounts. Invest in training and certification of staff who will have access to records, and take advantage of free training and toolkits to help you implement privacy and security protections in your department, facility or hospital.

2. Some facilities are repeat offenders

“Many VA facilities and regional networks are chronic offenders, logging dozens of violations year after year,” writes NPR, noting that the VA’s Sunshine Healthcare Network, which includes Florida, Puerto Rico and southern Georgia, has had more privacy incidents than any other region — at least 370 over 5 years. On the whole, the number of reports of data breaches doubled from 2011 to 2014. The VA counters that the spike does not indicate there has been a higher number of violations but, rather, that reporting systems implemented during this period are paying dividends.

The VA has a point: It’s critical to have a reporting system that employees feel comfortable using, as they have an obligation to report potential HIPAA violations. Your system should include appropriate protocols and channels of communication with a direct supervisor, or an ombudsman type of role — someone neutral who can take information and investigate impartially. It might also be wise to have an anonymous, secure channel for employees, to remove as many obstacles to reporting as possible.

Although the number of reports may rise, it’s not a matter of how many, but how they are managed. The reporting system must not retaliate against or penalize those who report concerns over breaches of private health information, nor should it provide an incentive for false reports. All complaints should be fully and discretely investigated, to ensure violators are stopped, breaches are corrected, and training reinforced and systemic change implemented as needed.

3. Employees weren’t always involved in patient care

The ProPublica report also reveals “more systemic issues across the VA: Employees repeatedly accessed the medical records of patients not under their care, from co-workers to suicidal vets to whistleblowers.” Clinicians who weren’t involved in the patient’s care and non-clinicians not part of the documentation chain of command should not be looking at patient data, period.

As mentioned, use your EHR to limit who has access to patient data. In addition, nurses and physicians doing rounds, administering medications and checking up on patients in hospitals should record each contact with the patient and the reason they accessed patient documentation at the time of the contact. Using only certified medical scribes ensures that your data is recorded by non-clinicians who are fully trained in and compliant with HIPAA rules. Equally, back-office staff should also be trained and tracked, to ensure that their access to patient data doesn’t turn into a privacy breach.

The consequences can be significant

The Department of Health and Human Services (HHS) recently found that Anthem did not adequately implement policies, procedures and software-security checks to protect unsecured electronic protected health information, and slapped the system with a $1.7 million fine for HIPAA violations. One system — New York-Presbyterian Hospital/Columbia University Medical Center — had to pay out a record-setting $4.8 million for a breach that led to exposure of patients’ medical records and test results. Protecting patient information is serious business, and although the VA is mired in privacy controversy, you don’t have to be.