VA Health Care Upstate New York (VISN 2)

Report ID: PSETS0000086800, U.S. Department of Veterans Affairs

Reported Entity: VISN 02 Syracuse, NY

Issue:

The Privacy Officer (PO) received a restricted email from a Physician's Assistant (PA) in Orthopedics that she received from an employee inquiring about his father-in-laws appointments. In the email the employee stated that he noticed that his father was supposed to have a follow-up that week for his wrist. The employee also stated that he had x-rays ordered for a specific date and a return to clinic order from a specific data but no appointment scheduled for him that week. The employee told the PA that he just wanted to give her a heads up as his father thought he had an appointment the next day or on Thursday. The PA said in the email forwarded to the PO, that she does not respond to emails from employees but wanted to make the PO aware that she keeps receiving this type of correspondence. The PO contacted the PA shortly after receiving her email and told her that the email indicated the employee had accessed his father-in-laws medical record to get this information. The PO asked the PA if the employee would have a way of knowing about the X-ray ordered and the return to clinic order in the medical record and she stated No. She stated the patient did not even know about the appointments which is why the employee was contacting her. The PO stated that she had sensitized the patients medical record and that a Sensitive Patient Access Report (SPAR) would be run in a couple of days to determine if any additional accesses by the employee occurred but would need the employees name to investigate further. The PA provided the name of the employee that she received the email from who is a PA in Primary Care. The P) discussed this with the Information Security Officer (ISO) and he agreed the email from the VA employee indicated a record access violation had occurred. The ISO also pointed out that use of the employees email for personal business was against VA policy and needed to be addressed. The ISO ran a SPAR on the father-in-law's record and reviewed it with the PO. No additional record accesses by the employee in question occurred. The PO contacted the Administrative Officer (AO) for Primary Care to discuss further corrective action and it was determined that a question and answer session with the employee regarding the record access was needed. The AO for Primary Care and the PO questioned the employee about the record access of which he confirmed had occurred. He stated that his father-in-law often relies on him to get information regarding his appointments because he forgets and needs help and he had accessed the medical record to get this information much like he would any Veteran who asked him for this type of assistance, so he didn't think it was an issue. The PO notified the employee that his access of his father-in-law's medical record was a privacy violation because he had accessed the information outside of a need to know to do his job. It was explained to the employee that he would be expected to provide appointment information to Veterans that he treated in clinic, not those he didn't, and therefore he did not have a need to know in his father-in-law's case. He stated he understood and that when he saw the record had been sensitized he knew not to access it and told his father-in-law he could no longer get the information for him. The issue will be forwarded to Human Resources for a determination of disciplinary action. Update: 03/14/13: One Veteran will be sent a HIPAA notification letter.

Outcome:

Privacy Officer and Administrative Officer for Primary Care re-educated the employee on the requirement to only access a patient's record on a need to know basis to do his job. In addition, the AO submitted the request for disciplinary action to Human Resources for further action. Resolved.