Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Southwest Health Care Network (VISN 18)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on April 11, 2012. Also cited in 228 other reports.
Report ID: SPE000000074013, U.S. Department of Veterans Affairs
Reported Entity: VISN 18 Phoenix, AZ
Issue:
During a routine on-site Office of Research Oversight (ORO) audit, the auditor determined that the research study was using an invalid HIPAA Authorization that was part of an Insitutional Review Board (IRB) approved compound research informed consent form. The study team was apparently unaware that the software used to send wound image files from a laser digital planimetry camera to the study sponsor's data center was attaching identifiable information (initials, DOB, date of photograph) to the image files before uploading them, and thought they were uploading only the images. ORO determined the HIPAA Authorization section of the informed consent form was invalid 1) because it stated no identifiable information would be disclosed outside the VHA, and 2) did not list the data center among entities the study was permitted to disclose identifiable data to. The data center was listed on the photograph disclosure consent form instead. Data center is located in New Zealand. Four subjects had been consented to the study and had wound planimetry photographs as of this date. Update: 04/12/12: The release forms signed by the research subject specifically stated that no personally identifiable information would be released. The photos which were sent to the data center did contain the name and date of birth of each subject. Four patients will be sent a notification letter.
Outcome:
Investigation by the Office of Research Oversight (ORO), Research Information Privacy Officer (Research PO), and Institutional Review Board (IRB) determined the breach was unintentional. Study staff are now aware identifiable data were embedded in transmitted research image files and on blood sample tube labels. IRB on 4/11/2012 required the study staff to revise the Research Informed Consent Form / HIPAA Authorization to accurately reflect these transmissions of PHI. IRB further ruled on 4/11/2012 that the study team was to re-consent the four study subjects using the accurate HIPAA Authorization once it was approved. Study staff made those revisions and the revised document was approved by the convened IRB on 5/9/2012. Study team is in the process of re-consenting the subjects. Notification Letters were mailed to the four study subjects by Research PO on 5/23/2012. Since the IRB ruling of 4/11/2012, ORO has required that the study split the HIPAA Authorization out of the Informed Consent Form. While this is not yet done it is intended to bring the study into compliance with Office of Research and Development regulations per VHA Handbook 1200.05 as clarified on 3/12/2012, not to remedy this privacy incident. Research PO therefore considers the mitigation of the incident and corrective actions to prevent future recurrences to be complete, and requests closure.