Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Southwest Health Care Network (VISN 18)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on July 5, 2011. Also cited in 228 other reports.
Report ID: SPE000000064429, U.S. Department of Veterans Affairs
Reported Entity: VISN 18 Phoenix, AZ
Issue:
Today, a Veteran employee provided the Privacy Officer with a written complaint that 3 fellow employees in her service accessed her medical record without authorization. A sensitive patient access report (SPAR) had been provided to employee previously. Appropriate investigation and notifications to ensue. Update: 10/19/11:Two employees accessed the record in the course of performing their duties. The supervisor accessed the record due to behavior issues and the belief of a medical emergency. The supervisor did not have a need to access the record. There was no malicious intent as the supervisor was trying to assist the employee The employee will be sent a letter of notification.10/27/11:When preparing to enter the incident to HHS HITECH database, IRT staff member read the mitigiation/corrective action entry and, based on hat explanation, reclassified the ticket as no data breach and not HITECH. The Privacy Officer questioned this action and sent additional information which stated that the supervisor did access the record inappropriately and which indicated that this was data breach.
Outcome:
Investigation completed; reviewed findings with supervisors and Director. All staff investigated re-educated. Letter from Director mailed today to complainant. 10/13/2011 Further disciplinary action has been determined by the supervisor, to be appropriate. Disciplinary actions pending. Responded to complainant with VISN Privacy Officer contact information by email per request. VISN Privacy Officer in concurrence with providing contact information. 10/26/2011 Conclusion: Re-investigation showed situational merit but a technical violation of supervisor access to Admin record of complainant. Actions were based on a medical/behavioral emergency. No findings of privacy violation regarding another supervisor who was not her supervisor. This functional role was within the scope of duties and discussed at that time with the complainant. Disciplinary actions and re-education were conducted with the supervisor regarding need for Veteran authorization in every circumstance PHI, PII or III is accessed; actions concluded on 10/19/2011. HIPAA notification letter sent to complainant with tracking due to complainant indicating last letter was not received with subsequent mail tracking. Per VISN PO, copy of HIPAA de-identified letter will be provided to VISN also.