Phoenix VA Health Care System

Report ID: PSETS0000104910, U.S. Department of Veterans Affairs

Reported Entity: PHOENIX AZ - 644

Issue:

On March 21, 2014, Clinical Research Coordinator consented two research subjects. The Informed Consent Form and HIPAA Authorization that had been pre-populated by the Coordinator for Subject 2 to sign was mistakenly given to Subject 1. Every page of both forms contained the full name, DOB, and last 4 digits of SSN of Subject 2. This document was scanned to the chart of Subject 1. In addition, the signature page of the Informed Consent Form mistakenly given to Subject 1 was also scanned to the CPRS chart of Subject 2 because the identifying information at the bottom of the page was for Subject 2. Exposure in this second case is only of the name/signature of Subject 1. Both subjects declined to receive photocopies of their signed consent forms, and the Accounting of Disclosures does not show any disclosures of either subject's chart. Exposure therefore appears limited to Subject 1 seeing name, last 4 SSN, and DOB of Subject 2, and possibly Subject 2 seeing the name/signature of Subject 1, but no loss of the information in hardcopy. This mistake was discovered on June 3, 2014 during a routine consent form audit by the Research Compliance Officer. Preliminary investigation suggests root cause is inattention by the Research Coordinator, and a failure to separate the PHI of the two subjects being seen that day. PO has contacted HIMS to remove the erroneous documents from both charts. Further investigation, remediation, and notifications to follow.

Outcome:

06/04/14: The Incident Resolution Team has determined that Subject 2 will be sent a letter offering credit protection services due to full name and DoB being disclosed.