Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Phoenix VA Health Care System
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on January 24, 2014. Also cited in 102 other reports.
Report ID: PSETS0000099594, U.S. Department of Veterans Affairs
Reported Entity: PHOENIX AZ - 644
Issue:
Today, 1/24/2013, PO receives a written privacy complaint from a Veteran/Employee in inner office mail. This was dated January 21, 2014. Employee asserts that 4 other employees accessed employee's medical record without permission or only to review appointments. It's not clear if there are authorizations on file. Staff in this area routinely disclose PHI. Prior discussion with PO provided Employee with complaint form and explanation of permissible access if an authorization was provided. Additional notification and investigation, to ensue.
Outcome:
02/03/14: Discussed with HIMS Chief. Investigation is in progress. Staff reporting has inquired about status of investigation. Assured that this was in progress. HIMS Chief produced and distributed a SOP for her staff regarding how to access records for staff who work in HIMS/ROI. This will be handled by supervisory chain of command rather than colleagues. 02/24/14: Supervisor has completed investigation of 3 ROI staff and 1 coder who are alleged to access complainants medical record without permission. The coder's access is noted to be required due to complainant encounters requiring this functional access. This employee had a legitimate job related need to access the chart. The memo written by the HIMS Chief of investigation into the access by ROI staff indicate that the complainant asked them to process disclosures for her. Awaiting the authorizations and accounting of disclosures to match the dates on the SPAR. 03/06/14: A staff member identified that complainant had related that she had not had any conversations regarding her privacy complaint from the PO. After discussing with the fact finding with the Supervisor, she related that the complainant denied making a formal privacy complaint. Reassured Supervisor that complaint was in writing. Reassured staff that complainant had updates from PO. Requested that Supervisor complete written findings today if possible. "This email was sent to the Complainant. It has been brought to my attention that you believe there is no action occurring on your privacy complaint. Please be assured that we take this complaint seriously and wish to investigate this thoroughly. This privacy complaint as we have discussed on two (2) separate occasions, subsequent to your official complaint to my office, is in actively progress. There are additional elements to investigate that we hope to resolve shortly. A final letter will be sent to you by the Director at the conclusion of this privacy complaint investigation to address your concerns." 03/07/14: Further fact finding indicates that this is an incident and inappropriate access did occur. Supervisor is working with Human Resources to determine disciplinary outcome. 03/14/14: Discussion with Supervisor indicates that HR and management team has been notified. No letter notification on ticket but this appears in order. HIPAA notification letter pending. The Incident Resolution Team (IRT) determined that the complainant will receive a HIPAA letter of notification.