VA Sunshine Healthcare Network (VISN 8)

Report ID: SPE000000067013, U.S. Department of Veterans Affairs

Reported Entity: VISN 08 San Juan, PR

Issue:

Veteran A requested copy of his medical record in a CD through the Release of Information (ROI) staff. ROI staff does not have CD burning capability, therefore the CD was burned by another HIMS personnel. The CD was given to the Veteran A, who immediately disclosed it to his lawyers. When the lawyers reviewed the CD they became aware that it contained information from Veteran B. They contacted Veteran A and explained the situation and then Veteran A called ROI supervisor and informed her the situation. Veteran A had copied the documents in his computer. ROI supervisor requested both Veteran A and lawyers to discard all the information from Veteran B. Update: 09/22/11:Veteran B will be sent a letter offering credit protection services due to full name and SSN being disclosed.

Outcome:

a. A credit monitoring letter should be issued to Veteran A because of the unauthorized disclosure to other veteran. (See attachment I)b. Veteran A request should be executed since he did not receive the records. c. Employee A should not be part of the process of ROI requests since he does not belong to ROI employees and does not have a need to know related to those. d.A CD burning standard operation procedure must be redacted and put in place to process electronic requests and disclosures of Veterans medical records. This SOP should include a double checking by two different employees and supervisor to verify that the CD burned belongs to requester. e. The CDROM folder must be taken off Server 7 and relocate in a controlled Server, limiting privileges only to ROI employees. f. Appropriate disciplinary actions should be given to Employee A for violations of VHA Privacy Policies and Procedures.g. Appropriate disciplinary actions should be given to Employee B for violations of VHA Privacy Policies and Procedures.