VA overrun with privacy violations

The Veterans' Administration (VA), one of the nation's leaders in electronic health record use, also leads the nation in EHR privacy violations, according to an article in the Pittsburgh Tribune-Review.

A two month Tribune-Review investigation found that VA employees or contractors committed 14,215 privacy violations at 167 facilities from 2010 through May 31, 2013, involving at least 101,018 veterans and 551 VA staffers. The breaches ranged from snooping and posting protected health information on social media websites to identity and prescription theft. The reasons for the many violations included failure to encrypt, "shoddy" safeguards and lack of accountability.  

The investigation also found that most of the privacy violations were preventable, such as giving information to the wrong patient or failing to confirm that a fax number was correct before using it.

"It's hard to argue against the notion that VA holds the dubious distinction of being the largest violator of the nation's health privacy laws," Deven McGraw, director of the Washington-based Health Privacy Project of the nonprofit Center for Democracy and Technology, told the Tribune-Review. "Protecting the privacy of every American is important, but you would think that we would be very careful when it came to our veterans. They sure earned it."

McGraw also serves as co-chair of the Office of the National Coordinator for Health IT's Health IT Policy Committee "tiger team."

The article also noted that while the U.S. Department of Health & Human Services can investigate the VA for HIPAA violations, it can't penalize the VA for them. However, the VA has taken little disciplinary action against the violators.

EHRs, with their large amounts of patient information, portability and relative ease of access, are particularly vulnerable to privacy and security breaches.

To learn more:
- here's the article