Phoenix VA Health Care System

Report ID: PSETS0000106296, U.S. Department of Veterans Affairs

Reported Entity: PHOENIX AZ - 644

Issue:

Today, 07/09/14, a security report was run of sensitive charts. It showed Staff As access into Staff Bs chart. Staff B reports lack of official reason for chart access and files privacy complaint. Additional questions regarding staff As access of other sensitive charts will be referred per administrative investigation protocol. Additional notification and investigation, to ensue.

Outcome:

07/13/14: This case was reviewed extensively with VHA Privacy Office last week over the course of several days. The conclusion is that the access of the chart by a VA Police Officer exceeded the minimum necessary. All VA Police Officers have Patient Inquiry access in VISTA. It was advised that this be revisited. The guidance was provided to the VA Police Chief and his Pentad member who had both previously worked on a similar but different privacy complaint. Requested that the VA Police provide an update of their access permissions. 07/15/14: Upon guidance from VHA Privacy for the VA Police Chief to consult with OIT to reduce or remove VA Police access. OIT staff reports this is a national menu for VA Police officers which they cannot remove without changing national permissions. This is a dilema. Requested that the VA Police Chief consult with OIT Chief to reference this material. Offered assistance. 07/23/14: The current Primary Menu for the police is called ESP POLICE OFFICER MENU. This is a National menu provided at each station. One of the options is called Patient Inquiry. From what I am told, the police have access to this information as part of their duties for investigational and security purposes. It provides information such as the patients address, appointment locations, allergies, and emergency contact information. It does not display any other information than the sample below. Police apparently need this menu option to direct lost patients to their appointment location and to determine if any allergies or conditions exist that a responding police officer should be aware of. As a hypothetical example... if a patient was a fall or flight risk and was wandering, and was allergic to latex.. the police would probably need to be aware of this information to help the patient. I contacted my previous station in region 2. All police have this menu option at that station (possibly all stations). I am not an expert at patient privacy, but if you believe that the police shouldnt have it then any privacy concerns should be escalated to the National level as it does not have a purely local scope. Will use of this option show that a police officer has accessed a patients record? Yes it will. However, if this menu option is appropriate and used in the course of a police officers duties, then it is appropriate and explainable. 07/28/14: OIT guidance was provided to VHA Privacy on 07/24/14. Further discussion with VACO Police staff and VHA Privacy Office expected to clarify role access and use for VA Police Officers. 08/04/14: Extensive consultation with VHA Privacy and VAPS. They have concluded that the Patient Inquiry menu access which was given to our VA Police is not appropriate for them but only for the Chief. This is not just an issue at this facility. Additional guidance will be sent to the field on this subject from VHA Privacy and/or VAPS. This menu correction and consult was provided to the VA Police Chief, OIT Chief and facility leadership. Inquiry whether this is in a complaint status or incident? 08/07/14: Extensive dialogue with VA and VHA Privacy. Conclusion: Access was not appropriate leading to Incident. 08/08/14: The Incident Resolution Service Team determined that Staff B will receive a general notification letter.