Phoenix VA Health Care System

Report ID: PSETS0000107079, U.S. Department of Veterans Affairs

Reported Entity: PHOENIX AZ - 644

Issue:

Today, 07/28/14, Employee-Veteran who is on leave, filed a privacy complaint to the Privacy Officer (PO) that all staff aside from PO listed on his Sensitive Patient Access Report (SPAR), accessed his medical record without his permission or business need. Several of the staff on the list were said to work or have worked for the Veteran-Employee. There are 13 staff listed whom the Veteran cites should not have accessed his chart. One employee from another agency is on SPAR. There is also an employee on the SPAR who was a subject of a prior privacy investigation, previously addressed by management. Additional notification and investigation to ensue.

Outcome:

08/02/14: PO update -- Discussed with Asst. HAS Chief to identify staff on SPAR. Seven emails were sent today to identify staff members to begin investigation. Contacted HR to ensure that prior investigations had determined actions that would reconcile with any potential action currently. Contacted VHA Privacy for guidance regarding OIG access. They directed inquiry specifically which was addressed; response pending. 08/04/14: Contacted 8 additional managers to identify supervisors. Sent out fact finding guidance to 5 supervisors. Notified HR. 08/05/14: Copies of documentation provided to Supervisor, discussed. Requested root cause with corrective actions. Discussed investigation with a nurse manager yesterday for a staff member who is no longer here. He reports that his nurse on access report was loaned to Employee Health. This correlates with the start date at the facility of the Veteran. Asked Manager to consult with Chief of Occupational Health and document the likely access with reference to PD and any other supporting documents. 08/16/14: Two Chiefs reported investigational results. Both of their staff were involved in providing Occupational Health results to Veteran, which is appropriate chart access for the roles they were assigned during this time. Both staff's access is determined to be appropriate. Veteran requested updates from Director and HR. PO sent Veteran a letter explaining the typical progression of an investigation. Veteran confirmed receipt. Consulted with local staff about non-PVAHCS staff access investigation. They advised supervisory contact next. 08/29/14: Discussion with OIT regarding the Imaging User access is in progress. This access is as a result of a new Imaging patch pushed out nationally, recently implemented. The footprint of an anonymous user was brought up during a national OIT call yesterday This issue is being investigated. Supervisor of another employee reports that his staff did not access the chart. Objective evidence shows otherwise. Requested that Research Privacy and Security Office review this finding further to see if there was an authorized research use for this staff member as inferred by another clinical coordinator Chief. Discussion with representative of another agency to explain access by their staff. They will investigate this further at their agency and work to get a response back to us within a week. 09/02/14: Additional inquires still in progress regarding supervisory identification to launch investigation. Inquiry made to Senior Mgmt. to provide a tool to correlate staff to their manager. Prolonged investigation due to insufficient tools. 09/19/14: Requested FU investigational reports from: HIMS Chief for 3 staff; HAS for additional information regarding initial investigation plus finding of a missing staff member who has left but previously worked for HAS subject under investigation. Conflict of interest and included HR requesting who will be POC for this individual's fact finding. Informed HR of El Paso SW to make contact with HR there, sent email to SW Supervisor requesting fact finding. Contacted 2 separate OIG offices for their updates or reports. Will review the Research materials again to ensure that the provider who appears to be a new supervisor, understands, what is requested. Two other subjects' access in Occupational Health have been determined to be appropriate access for their role in employee health services. Again, the Imaging User is a generic access key where PO cannot determine users so there is nothing to substantiate appropriate or inappropriate usage. This was reported to VHA Privacy to address. 09/22/14: PO update -- Research staff has been identified as having inappropriate chart access. This was verified by her supervisor, a physician, the research privacy and security officer, and the Sr. Research Coordinator, due to the variable and complex access issues regarding this study. This ticket was changed from complaint to Incident. Discussed complexity of investigation with VISN and Associate Director. Discussed with Sr. Research Coordinator who oversees studies to ensure the physician's evaluation of his staff's access is appropriate. Research coordinator is familiar with study and has permissions to review charts which quality for this study. She will review again as the access is highly questionable particularly as the subject denies access. 09/24/14: The Incident Resolution Service Team has determined that Employee/Veteran A will be sent a HIPAA notification letter due to Protected Health Information (PHI) being disclosed.