South Central VA Health Care Network (VISN 16)

Report ID: SPE000000068670, U.S. Department of Veterans Affairs

Reported Entity: VISN 16 Oklahoma City, OK

Issue:

At a Merit System Protection Board (MSPB) hearing, terminated Employee A came to testify on behalf of Employee B. Terminated Employee A brought a service consult list that was 3 pages long and contained 121 patients' names, last 4 digits of the SSN, request date and patient locations. Update: 11/21/11: The 121 patients will receive notification due to their protected health information (PHI) being maintained outside of VA control by the terminated employee. She was terminated on 11/21/10 for poor performance. The consult list is something she would have had access to in the course of her duties while she was employed at VA. The list was retrieved from terminated Employee A. 12/08/11: The Privacy Officer ran that the report that the terminated Employee A brought to the MSPB hearing and found that the entire report contained information on 253 patients. VA is concerned that the ex-employee may still have the additional data in her possession. Therefore 253 patients will receive a letter of notification. 12/09/11: The letters were printed and mailed today.

Outcome:

Notification letter was sent out on 12/9/2011. Sent out the Privacy Clinic 1, which educates all employees that it is not permitted for an employee to use, or provide Veteran\xe2\x80\x99s Protected Health Information (PHI) to an outside attorney in support of their individual/personal grievance unless an authorization is obtained. The HIPAA Privacy Rule does not give you authority under treatment, payment or health care operations (TPO). It is not permitted for an employee to share Veteran\xe2\x80\x99s PHI with the Union or with EEOC directly. If a VHA employee, Union Representative, or EEOC requires Veteran\xe2\x80\x99s PHI, they must contact the facility Privacy Officer or Human Resource Management.