Louis Stokes Cleveland VA Medical Center

Issue: The Columbus Information Security Officer (ISO) ran an audit log and found a Cleveland VA employee accessed her mother's CPRS record 1 time. Per her email, employee did it upon request of her mother which is inappropriate.

Outcome: 01/28/15: The Incident Resolution Service Team has determined that Veteran/Portent A will be sent a HIPAA notification letter due to Protected Health Information (PHI) being disclosed.…

Issue: The spouse of Veteran A noticed Veteran B's medication list was stapled to the medication list of Veteran A.

Outcome: 01/26/15: The Incident Resolution Service Team has determined that Veteran B will be sent a letter offering credit protection services.…

Issue: On 07/09/14, the spouse of Veteran A found a patient list in the Women's restroom. The spouse immediately gave the information to an employee of the medical center.

Outcome: 12/02/14: The Data Breach Core Team concurred that the 29 patients on the ward at the time the list was found should be sent HIPAA notification letters.…

Issue: Employee accessed the medical chart of employee/patient without a need to know. Information was discovered when employee/patient request a DRG Access Log.

Outcome: 11/12/14: The Incident Resolution Service Team has determined that the Veteran will be sent a notification letter.…

Issue: A VA Supervisor reported that an employee may have inappropriately accessed two records. Also, the employee may have been feeding information about the Veterans' C&P claim via email, Lync and over the phone. One Veteran is the employee's brother, and…

Outcome: 11/04/14: PO update -- Interviewed the employee. Changing to incident as access to the brother's record was inappropriate even though the brother confirmed he asked the patient to access the record. Employee also accessed another record inappropriately. Still pending an…

Issue: VA employee accessed the medical chart of a patient without a need to know.

Outcome: 11/12/14: The Incident Resolution Service Team has determined that the Veteran will be sent a notification letter due to Protected Health Information (PHI) being disclosed.…

Issue: Patient A received Patient B Future Appointment List in the mail.

Outcome: 09/23/14: The Incident Resolution Service Team has determined that Patient B will be sent a HIPAA notification letter due to Protected Health Information (PHI) being disclosed.…

Issue: An employee accessed the medical record of an employee/patient without a need to know.

Outcome: 10/09/14: The Incident Resolution Service Team has determined that patient whose information was viewed will be sent a HIPAA notification letter due to Protected Health Information (PHI) being disclosed.…

Issue: A patient dropped off two lab result letters he received on two other Veterans. The letters contained full name, home address, and results. They are not individually drafted letters, rather more of an automated process type letter.

Outcome: The Incident Resolution Service Team has determined that Patient B and C will be sent a HIPAA notification letter due to Protected Health Information (PHI) being disclosed.

Issue: Employee gave lab report of Patient A to Patient B. Patient B returned information to the Community Based Outpatient Clinic (CBOC).

Outcome: 08/18/14: The Incident Resolution Service Team has determined that Patient B will be sent a letter offering credit protection services.…