VA Sunshine Healthcare Network (VISN 8)

Issue: A Release of Information (ROI) clerk inappropriately disclosed Veteran A's medical records on an expired authorization Update: 08/10/11:Due to the full SSN and medical information being exposed without proper authorization, Veteran A will receive a letter offering credit protection services.…

Outcome: The employee who inappropriately released medical records on the expired authorization was verbally counseled and retrained in VHA Privacy Policy as well as given additional training on the processing of records requests.

Issue: Four images of a patient's wound were posted to the a shared drive, in an unrestricted sub-directory titled "Scanned Images." The images contained the patient's name and date of birth. There were no full-face/full-body images. The images should have been…

Outcome: Staff is being reminded via newsletter to avoid posting PII to an unrestricted drive. This is also being briefed at Director's next Supervisor's Meeting.…

Issue: The Privacy Officer (PO) received notification on 08/04/11 that the OIG has been conducting an ongoing investigation that began 05/17/11. While investigating an unrelated incident, the local police department discovered two civilians in possession of 287 consultation forms on patients…

Outcome: Based on the OIG reported incident, facility wide notice went out to all staff to report full and near full shredder bins to appropriate staff. Staff were reminded to secure all documents including those awaiting destruction at all times. Weekly…

Issue: A Veteran's medical records were sent to an attorney's office by a Release of Information (ROI) clerk. The information disclosed contains the Veteran's name, full SSN, date of birth and protected health information (PHI) Update: 08/05/11:The information was sent to…

Outcome: The release of Information clerk was educated by the Privacy Officer on the criticality of quality control when mailing patient health information. Supervisor notified.

Issue: A VA Pharmacy employee removed two sheets of VA Form 10-2320 (Schedule II and Schedule III Narcotics and Alcohols) from the pharmacy vault. The information contained the drug name, date, prescription number, patient's last name, first initial of the first…

Outcome: Management is pursuing appropriate disciplinary action. Privacy Training and Rules of Behavior current per Service Chief. Internal investigation ongoing. It appears that there were 44 Veteran names (last name and first initial of the first name) on these two sheets.…

Issue: A user faxed a three page subrogation notice to a unintended local business address. Information included name, address, SSN, and telephone number of a Veteran. The business was contacted and advised to shred the documents. Update: 07/29/11:The Veteran will receive…

Outcome: Closed as a duplicate of SPE65086.

Issue: VA Police reported a Florida Driver and Vehicle Information Database (DAVID) printout was found on the grounds at this facility by a VA employee. The printout contains a full face photo, full name, full SSN, DOB, address and motor vehicle…

Outcome: Employee counseled on appropriate handling of PII. Employee involved retook Privacy and Information Security training. Process changed to include documentation in the police daily journal for all NCIC/DAVID request. Credit monitoring letter mailed to affected employee.…

Issue: The Release of Information (ROI) Clerk from another hospital mailed a patient inquiry package using the address for the new hospital, which is still under construction. Clerk used Google to research the address and failed to note that the hospital…

Outcome: ROI clerks and supervisor that mailed the letter to wrong address have been called and reminded not to use construction address for the new hospital untill officially opened.

Issue: An employee faxed patient information to the wrong fax number. Update: 07/26/11:The patient will be sent a letter offering credit protection services, due to full name and full SSN being disclosed.…

Outcome: Employee educated by the privacy officer on the criticality of quality control when faxing patient information.

Issue: Veteran A received a progress note for Veteran B. The wrong note for patient addendum was initiated but further steps for removal failed. The Privacy Office will investigate further. Update: 07/26/11:Veteran B will be sent a letter offering credit protection…

Outcome: Employee involved completed Privacy and Information Security re-training. Wrong note blocked from viewing. The note information has been placed in the correct Veterans record. Credit monitoring letter mailed to affected Veteran.…