VA Southwest Health Care Network (VISN 18)

Issue: During a routine on-site Office of Research Oversight (ORO) audit, the auditor determined that the research study was using an invalid HIPAA Authorization that was part of an Insitutional Review Board (IRB) approved compound research informed consent form. The study…

Outcome: Investigation by the Office of Research Oversight (ORO), Research Information Privacy Officer (Research PO), and Institutional Review Board (IRB) determined the breach was unintentional. Study staff are now aware identifiable data were embedded in transmitted research image files and on…

Issue: A New Mexico VA Health Care System (NMVAHCS) Supervisor A reports NMVAHCS Supervisor B stated that he accessed one of his employee's medical record without a need to know. Update: 04/11/12:Employee A will be sent a letter offering credit protection…

Outcome: Service Chief is proposing suspension.

Issue: On April 2, 2012, the Patient Advocate reported Veteran A's privacy complaint. He was seen in the Emergency Department on March 26, 2012, when he was provided with a CD containing Radiology images. The Privacy Officer called Veteran A back…

Outcome: Supervisor counseled staff on this event and corrective steps to address all outgoing CD with privacy disclaimer, Veteran last name and last 4 on CD with exam performed. She also emailed directions to staff and will develop an SOP. New…

Issue: Medical records were requested from the Office of Research Oversight (ORO) and the Research Office staff was unable to locate the file cabinet containing the records. The cabinet was moved without the knowledge of the Principle Investigator or the Research…

Outcome: Credit Monitoring lettes have been sent. Future moves of equipment to be properly documented to ensure misplacement of files doesn't recur.

Issue: VA Employee A informed VA Employee B that his father/Veteran had a procedure done that he noticed written within his computerized Patient Record. Accessing this record would have been outside of this employee's scope of duties and his professional need…

Outcome: Provided retraining. Svc Chief to impose sanctions.…

Issue: On 03/21/12, a Veteran called the Supervisor who called the Privacy Officer (PO) to contact the Veteran regarding a HIPAA complaint. The Veteran indicates his appointment sheet at a Community Based Outpatient Clinic (CBOC) was provided to another Veteran's niece.…

Outcome: Alternate AOD has conducted an in-service with the MSAs regarding this event. Counseled individual responsible.

Issue: A Veteran Privacy complaint was taken by the Patient Advocate Department on 3/14/2012 and received by the Privacy Officer (PO) on the morning of 3/15/2012. The PO called the Rehab Clinic managers and Research liaison to respond to the patient's…

Outcome: Education provided to Education, Public Affairs and Research regarding the parameters of filming within a therapeutic treatment setting. Excellent facility dialog regarding media coverage issues. HIPAA notification letter sent after initial call to complainant. Central office contracting issues referred to…

Issue: The Trade Shop Supervisor reported to the Alternate Privacy Officer (PO) that he found patient documents on the ground of the VA parking lot today. The documents are three (3) pages of End-of-Shift reports for 17 patients. The reports contain…

Outcome: Nursing program re-educated students. Privacy/security training obtained for student, who was up-to-date. Student involved in incident was dismissed from campus program by college. New student class re-instructed with disposal sites and prohibition of removal of sensitive materials. Credit monitoring offers…

Issue: Today at 11:15 AM, the Women\xe2\x80\x99s Program Manager notified the Privacy Officer (PO) of a privacy event involving Veteran B. The PO was told that Veteran B left the VA with Veteran A\xe2\x80\x99s appointment schedule. This appointment schedule was previously…

Outcome: The Outpatient Chief discussed and counseled the employee involved in the incident. Disciplinary action is being reviewed. A HIPAA notification and complaint response were drafted for Regional Counsel review. The letters to both Veterans A & B were signed by…

Issue: Veteran A was given Veteran B's information by a VA Employee. Update: 02/17/12:Veteran B will be sent a letter offering credit protection services due to full name and full SSN being disclosed.…

Outcome: Education given to employee and policies on releasing information reviewed. Credit monitoring offered to the Veteran who information was disclosed.