VA Midwest Health Care Network (VISN 23)

Issue: Employee found a sheet of a patients medical record outside on the ground in back of the hospital on the way to the smoke shelter. It is unknown how it got there. The document was handed in to the privacy…

Outcome: Document was sent to the privacy officer, not known how it got outside.

Issue: A Veterans medication list was found on the ground behind hospital on the way to the smoke hut. Unable to identify how it got here. Document was given to the privacy officer Update: 06/21/12:Veteran A will be sent a letter…

Outcome: Clinical staff was educated regarding the situation.

Issue: A VA employee found paper documents laying outside of the VA hospital with protected health information on them. The documents contained information on 12 current inpatients' stay to include full name, last four of SSN, and treatment information. The VA…

Outcome: Chief of Surgery service spoke to all residents regarding the incident. There will be no printing of this information any more. In addition, the incident was discussed with residents and specifically the resident who lost the information.

Issue: A Research contract employee accessed a high profile patient's chart (appeared on media) without a VA business related reason for doing so. Update: 06/13/12:Patient A will be sent a letter offering credit protection services.…

Outcome: Contractor removed contract employee from VA account.

Issue: It was reported to the Privacy Officer that a patient returned a list of patient appointments for the Bemidji Community Based Outpatient Clinic (CBOC). The patient stated that when he saw his provider on 05/22/12 he was given educational material…

Outcome: The provider was talked to about safe guarding PHI/PII.

Issue: A TeleHealth nurse reviewed chart and followed patient for her evening job as a home health nurse for another agency. Update: 06/05/12:The Patient will be sent a letter offering credit protection services as full name and full SSN were accessed…

Outcome: To HRMS for action. Employee must re-take privacy/HIPAA training.

Issue: An employee found a list of procedures in the facility parking lot with Patients identifiable by last name. Update: 06/06/12:Eleven (11) Patients will be sent notification letters due to name and PHI being exposed.…

Outcome: Conducted education on minimum necessary and required to retake privacy training.

Issue: A Veteran reported he received a clinic list of appointments with his paper work. The clinic list showed appointments for the day on 79 veterans, to include their full name, full social security number and reason for coming in (ex:RTC;…

Outcome: Email sent out to all CBOC employees by supervisor of issue and to watch PHI Patient privacy issuses very carefully etc.

Issue: The VA received a keylogger report from US-CERT. Parsing the data revealed a possible keylogger infected VA owned host and exposed veteran PII.See attached spreadsheet for PII details.va_gov-INC000000212024A zipped file of all data is attached. The password to access the…

Outcome: system was scanned, no visuses indicated at this time,

Issue: A nurse gave a patient his post-op discharge paperwork and inadvertently attached to it was a pre-op surgery list with nineteen (19) other Veterans' names and last 4 of their SSN. Update: 05/24/12: Letters of notification will be sent to…

Outcome: Employee was educated on incident and the importance of patient privacy and paying attention to documents that are given out. Letters sent out to Veterans.