[Med-privacy] VA

[Peter Marshall]

June 1, 2006  202.721.5614 (o)
202.904.0899 (c)
pfeldman@healthprivacy.org


ORGANIZATIONS CALL ON DHHS SECRETARY MIKE LEAVITT TO UNDERTAKE=20
IMMEDIATE HIPAA COMPLIANCE REVIEW OF U.S. VETERANS DEPARTMENT

(Washington, DC) Thirty organizations participating in the Consumer=20
Coalition for Health Privacy yesterday asked U.S. Department of Health=20=

and Human Services Secretary Mike Leavitt to undertake a compliance=20
review of the U.S. Department of Veterans Affairs pursuant to the=20
authority granted him by the Health Insurance Portability and=20
Accountability Act of 1996 (HIPAA). Medical diagnostic codes and=20
disability rating information about an undisclosed number of disabled=20
veterans were stolen last month from the home of a VA employee along=20
with 26.5 million veterans' names, birth dates and Social Security=20
numbers.

"Secretary Leavitt should do everything he can to ensure the privacy=20
and security of protected health and other highly sensitive information=20=

held by the VA," according to Paul Feldman, Deputy Director of the=20
Health Privacy Project. "Ordering a HIPAA compliance review is a=20
prudent step the Secretary is authorized to take which will encourage=20
better from the VA in the future and will help assure veterans that our=20=

government takes seriously the protection of their personal=20
information. I hope the HHS Office for Civil Rights will proceed with=20
this review with all due speed."

A copy of the letter follows:

Dear Secretary Leavitt:

The May 3 theft from the Department of Veterans Affairs (VA) of medical=20=

diagnostic codes, disability ratings, names, Social Security numbers,=20
and dates of birth of more than 26 million American military veterans=20
is a very serious matter. [1]  On behalf of the undersigned=20
participating organizations of the Consumer Coalition for Health=20
Privacy, the Health Privacy Project requests that you initiate=20
immediately a full compliance review with respect to the nature and=20
extent of violations of both the Standards for Privacy of Individually=20=

Identifiable Health Information ("Privacy Rule") and the Security=20
Standards for the Protection of Electronic Protected Health Information=20=

("Security Standards") under authority of the Health Insurance=20
Portability and Accountability Act of 1996 (HIPAA).

The Security Standards generally require a covered entity (CE) to=20
"[p]rotect against any reasonably anticipated threats or hazards to the=20=

security" of protected health information (PHI) [2]  and go on to=20
describe a number of required and addressable implementation=20
specifications. The Security Standards speak to a "flexibility of=20
approach" to allow the CE to determine its methods to assure the=20
security of PHI, including taking into account the "size, complexity,=20
and capabilities" of the CE. [3]  Clearly, the VA should be held to the=20=

highest standards in this regard. It appears the VA is in violation of=20=

the Privacy Rule as well, particularly with respect to its provisions=20
regarding the safeguarding of PHI. [4]

The facts of this matter are as yet unclear, but we believe your review=20=

may well give rise to a finding that the assessment of civil and=20
criminal penalties to the VA is appropriate. As you know, it is=20
unfortunate that individuals harmed by security or privacy breaches=20
have no right to sue under HIPAA.

Regardless of how the data was stolen, who stole it and for what=20
purpose it was taken, the fact that this individually identifiable=20
health information was removed without authorization from a U.S.=20
government facility is key and alone signals the need for a compliance=20=

review. That the federal government =A0employee routinely removed data=20=

from his workplace for a period of three years [5]  suggests the=20
existence of systemic problems at the VA with the security of=20
identifiable information about veterans.

The undersigned organizations write to you to urge you to investigate=20
these matters promptly. The widespread adoption of electronic health=20
records systems is predicated on consumers' ability to trust that their=20=

highly sensitive information will remain secure and private. These=20
events harm our shared efforts to improve health care quality and=20
reduce its cost by encouraging the continued rapid development and=20
implementation of health information technologies. Please contact HPP=20
Deputy Director Paul Feldman at pfeldman@healthprivacy.org  or=20
202.721.5614 for more information.

Health Privacy Project, Washington DC on behalf of
  AIDS Action of Baltimore (MD)
  AIDS Action, Washington DC
  AIDS Action Committee of Massachusetts, Inc., Boston MA
  AIDS Foundation of Chicago (IL)
  AIDS Legal Services, Law Foundation of Silicon Valley (CA)
  American Academy of HIV Medicine, Washington DC
  American Association of People with Disabilities, Washington DC
  American Mental Health Counselors Association, Alexandria VA
  American Nurses Association, Silver Spring MD
  American Psychiatric Association, Washington DC
  Bazelon Center for Mental Health Law, Washington DC
  Center for Democracy and Technology, Washington DC
  Center for HIV Law and Policy, New York NY
  Community HIV/AIDS Mobilization Project, New York NY
  Consumer Action, Washington DC
  Electronic Privacy Information Center, Washington DC
  Fairfax County Privacy Council (VA)
  HIV/AIDS Law Project, Phoenix AZ
  Housing Works, New York and Albany NY, Washington DC and Jackson MS
  Legal Action Center, New York NY
  Mental Health Advocacy Project, Law Foundation of Silicon Valley (CA)
  National Coordinating Committee for Multiemployer Plans, Washington DC
  New York State Black Gay Network, New York NY
  Patient Privacy Rights Foundation, Austin TX
  Positive Outlook, Ferndale MI
  Privacy Rights Clearinghouse, San Diego CA
  Privacy Rights Now Coalition, Washington DC
  Servicemembers Legal Defense Network, Washington DC
  Vietnam Veterans of America, Silver Spring MD
  Women's Cancer Advocacy Network, Glen Allen VA


[1]  Stout, D., "Veteran data was removed routinely, official says,"=20
New York Times , May 26, 2006

[2]  45 CFR =A7164.306(a)

[3]  45 CFR =A7164.306(b)

[4]  45 CFR =A7164.530(a)(2)

[5]  Yen, H., "Veterans' data theft went unreported," Washington Post ,=20=

May 25, 2006

1120 19th Street, NW, 8th Floor, Washington, DC 20036
  202-721-5614 (Tel) * 202-530-0128 (Fax) * www.healthprivacy.org