VA Sunshine Healthcare Network (VISN 8)

Report ID: SPE000000067932, U.S. Department of Veterans Affairs

Reported Entity: VISN 08 San Juan, PR

Issue:

Employee A accessed the CPRS Chart of Employee B (who is a Non-Veteran) one time. Also Employee B accessed the CPRS Chart and other VISTA screens of Employee A who is a Veteran on five (5) different occasions. The two employees were dating at the time of the unauthorized accesses. Update: 11/01/11:Employee A committed a privacy violation based on unauthorized access to Employee B's record. Employee B committed a privacy violation based on unauthorized access to Employee A's record. Both employees will be sent HIPAA notifications letters.

Outcome:

a. Employee A committed a privacy violation due to unauthorized access to Employee B record. Her privacy rights were violated according to Privacy Act (Title 5 USC 552a), and HIPAA Privacy Rule 45 CFR 164.530(c). Employee A also violated VHA Handbook 1605.1 Subparagraphs 14(a.1), 15(a)(3&6) and 17(a-b); and Privacy Policy CM No. 00-11-15 (IV)(I)(2) and (IV)(L)(2-3).b. Employee B violated VHA Handbook 1605.1 Subparagraph 14(a.1) and 17(a-b) and Privacy Policy CM No. 00-11-15 (IV)(L)(1-3) by accessing Employee B record without his authorization.c. Employee A and Employee B also violated VHA Handbook 6500 Subparagraph 6c .14(7)(a).d. To protect and safeguard the Veterans personal information the Mental Health Clinic should establish an identification process to validate the Veterans identity when receiving calls, like adding a third identifier such as DOB or emergency contact or NOK. In addition, the demographic data should not be changed by such clerks; it should be referred to EBAS clerks. e. Appropriate disciplinary actions should be given to both Employee A and Employee B for violations of VHA Privacy Policies and Procedures and VHA Information Security Program.