VA Heartland Network (VISN 15)

Report ID: PSETS0000085803, U.S. Department of Veterans Affairs

Reported Entity: VISN 15 Marion, IL

Issue:

Veteran A requested a Sensitive Patient Access Report (SPAR) to determine who had accessed her medical records since discharge from the RRTP program. Veteran A stated that she was concerned about one particular employee, as the employee had been sending text messages to the Veteran's personal cell phone. The SPAR was run, and the person in question was found to have accessed the Veteran's CPRS records on two occasions since the Veteran's discharge. The SPAR findings were shared with the program manager. The complaint remains under investigation. Update: 03/11/13: A meeting was held with Labor Relations (LR) representative to discuss the investigatory findings. It was determined that the employee had no valid business reason to access the CPRS records of 11 Veterans. A fact finding meeting was held on 03/06/13 that included the employee in question, her union representative, supervisor, and the Privacy Officer (PO). During the interview, the employee admitted accessing the records of 11 Veterans. When asked why the records had been accessed, the employee stated they were accessed to see how they (Veterans) were progressing after they left the program. Employee only recalls accessing the last couple of notes entered into CPRS, post-discharge. One patients records was accessed because, She was my favorite patient (again, she was following this Veterans progress). The employee denied sharing any of the information with anyone, and reiterated that the information had been accessed only to check on the progress of the Veterans. When asked if the employee had utilized the information in CPRS to contact the Veterans, employee stated, No. The employee stated that the contact information was acquired from what was felt to be a mutual exchange of contact information with a couple of the Veterans. When the employee was asked if there had been any communication via text messaging, the response was yes. The employee admitted sending text messages to three Veterans, and receiving text messages from two Veterans. Per the employee, the phone numbers were provided by the Veterans. The messages allegedly did not contain any medical information, and were described as generic. The employee felt the information texted (and/or posted to the Veterans Facebook accounts) was information they would be interested in receiving. The employee was advised that privacy incidents are taken very seriously and that the investigatory information will be forwarded to Human Resources (HR)/LR for appropriate administrative actions. 03/13/13: The 11 Veterans will receive a HIPAA letter of notification.

Outcome:

The following measures have already been taken to lessen the likelihood of future incidents of this nature: 1) To further protect the medical records of RRTP participants, the records of all participants will now be marked sensitive. 2) Education has been provided to all RRTP staff. They have been reminded that accessing a Veterans medical records to follow their progress is considered an inappropriate access, and that it is also inappropriate to utilize contact information for personal reasons (i.e., phone calls and/or text messaging communication). 3) Appropriate administrative actions will be taken against the employee in question. 4) Employee in question was advised to complete the FY13 Privacy and Information Security and Privacy and HIPAA Training modules in TMS.