Health-privacy coalition seeks HIPAA review of VA

Computerworld - A coalition of consumer privacy groups in the health care industry is asking the U.S. Department of Health and Human Services (DHHS) to conduct a HIPAA compliance review of the Department of Veterans Affairs after a massive security breach was disclosed last week.

In a letter sent Wednesday to Health and Human Services Secretary Mike Leavitt, 30 privacy groups belonging to the Consumer Coalition for Health Privacy expressed their concerns about the recent theft of personal data at the VA (see "Personal data on millions of U.S. veterans stolen").

The data, which included names, Social Security numbers and addresses belonging to 26.5 million veterans, also included protected health information such as medical diagnostic codes and disability ratings. The data was included in a laptop and disks that were stolen May 3 during a burglary at the home of a VA analyst who had improperly taken the data from the office.

The incident raises serious questions about the "nature and the extent" of violations by the VA of the security and privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the letter said.

"Regardless of how the data was stolen, who stole it and for what purpose it was taken, the fact that this individually identifiable health information was removed without authorization from a U.S. government facility is key and alone signals the need for a compliance review," the letter noted.

Paul Feldman, deputy director of the Health Privacy Project in Washington, which sent the letter to Leavitt on behalf of the 30 organizations, said the move was prompted by concerns that privacy violations may be widespread at the VA.

"The fact that this individual removed protected information from the workplace over a period of three years leads us to wonder if this is a common practice at this unit of the VA or even more broadly," across the organization, he said.

"The VA is a covered entity under HIPAA, and the fact is the DHHS is the authority to undertake a review of their data security and privacy practices," he said.

The letter cited the obligations of covered entities to protect health data against "reasonably anticipated" threats under HIPAA. It noted that HIPAA’s security rule gives covered entities the flexibility to implement security controls that are proportionate to the size, complexity and capabilities of the organization. "Clearly, the VA should be held to the highest standards in this regard," the letter said.

In calling for Leavitt to undertake an immediate HIPAA compliance review at the VA, the letter said, "We believe your review may well give rise to a finding that the assessment of civil and criminal penalties to the VA is appropriate."