Did the Oklahoma Department of Veteran Affairs Violate HIPAA Rules?

Three Democrat lawmakers have accused the Oklahoma Department of Veteran Affairs of violating Health Insurance Portability and Accountability Act (HIPAA) Rules. They are also calling for  two top Oklahoma VA officials to be fired over the incident.

The alleged HIPAA violation happened during an internet outage. At that time, VA medical aides could not access veterans’ health records. Because the outage was likely to cause significant disruption the Oklahoma Department of Veteran Affairs permitted medical aides to use their personal smartphones to access veterans’ electronic medical records.

Reps. Brian Renegar, David Perryman and Chuck Hoskin wrote a letter to Oklahoma Governor Mary Fallin calling for the firing of VA Executive Director Doug Elliot as well as the clinical compliance director Tina Williams over the alleged HIPAA violation.

The Representatives said Elliot and Williams “have little regard for, and knowledge of, health care,” and suggested allowing medical aides to access electronic medical records on personal smartphones was “a direct violation of HIPAA,” and by doing so they had placed millions of dollars of federal funding at risk.

State CISO Mark Gower is insistent there was no HIPAA violation. In response to the letter he said only a minimal number of medical aides were permitted to access electronic health records on their phones, and access was only given during the outage. When the problem was resolved, access to medical information through smart phones was blocked.

Gower stated that accessing medical records on a smartphone did not result in any protected health information being copied. The medical records system does not create a cache or save any information on local devices. Gower additionally said the records system and the smartphones satisfied the VA’s security specifications.

The three lawmakers do not believe Gower’s justification and state that at the time of the outage, personnel at all the care centers were permitted to copy medical records onto their personal mobile phones.

Doug Elliot said it was “Unfathomable that any of the med aides have disclosed that information to a third party.” . He also said it was “unconscionable” for the representatives to suggest that professional VA employees violated HIPAA Rules and patient privacy.

Even though the accusations are not believed to have any merit, any complaint such as this is taken seriously and an investigation has been launched by Oklahoma’s IT security team.

The lawmakers are not satisfied with the matter being investigated by a state agency and think such a serious error should be investigated by the federal government to avoid a cover up. The lawmakers have reported the potential HIPAA violation to the Department of Health and Human Services, the Department of Veteran Affairs, and U.S. Attorney Robert Troester.