 May 31, 2006 [Delivered by messenger] The May 3 theft from the Department of Veterans Affairs (VA) of medical diagnostic codes, disability ratings, names, Social Security numbers, and dates of birth of more than 26 million American military veterans is a very serious matter. On behalf of the undersigned participating organizations of the Consumer Coalition for Health Privacy, the Health Privacy Project requests that you initiate immediately a full compliance review with respect to the nature and extent of violations of both the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") and the Security Standards for the Protection of Electronic Protected Health Information ("Security Standards") under authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Security Standards generally require a covered entity (CE) to "[p]rotect against any reasonably anticipated threats or hazards to the security" of protected health information (PHI) and go on to describe a number of required and addressable implementation specifications. The Security Standards speak to a "flexibility of approach" to allow the CE to determine its methods to assure the security of PHI, including taking into account the "size, complexity, and capabilities" of the CE. Clearly, the VA should be held to the highest standards in this regard. It appears the VA is in violation of the Privacy Rule as well, particularly with respect to its provisions regarding the safeguarding of PHI. The facts of this matter are as yet unclear, but we believe your review may well give rise to a finding that the assessment of civil and criminal penalties to the VA is appropriate. As you know, it is unfortunate that individuals harmed by security or privacy breaches have no right to sue under HIPAA. Regardless of how the data was stolen, who stole it and for what purpose it was taken, the fact that this individually identifiable health information was removed without authorization from a U.S. government facility is key and alone signals the need for a compliance review. That the federal government employee routinely removed data from his workplace for a period of three years suggests the existence of systemic problems at the VA with the security of identifiable information about veterans. The undersigned organizations write to you to urge you to investigate these matters promptly. The widespread adoption of electronic health records systems is predicated on consumers' ability to trust that their highly sensitive information will remain secure and private. These events harm our shared efforts to improve health care quality and reduce its cost by encouraging the continued rapid development and implementation of health information technologies. Please contact HPP Deputy Director Paul Feldman at pfeldman@healthprivacy.org or 202.721.5614 for more information. Sincerely, [on behalf of] cc: Hon. Daniel K. Akaka |