Three Democrat lawmakers have accused the Oklahoma Department of Veteran Affairs of breaching the Health Insurance Portability and Accountability Act (HIPAA) by allowing their staff to access medical records temporarily through their smartphones.
This extraordinary measure was taken by the organisation in an attempt to mitigate the disruption of a planned internet outage at the facility. The outage rendered staff at the facility unable to access the medical records of the patients via their work devices. As “hundreds” of people would have been affected by the disruption to the services, senior staff at the the Oklahoma Department of Veteran Affairs decided to allow their staff to access medical records via their personal devices. Medical aides at the facility were able to access medical records for a short period of time using their own smartphones, and issued veterans with their medications as normal.
However, allowing staff access to medical records through personal devices is a potential violation of HIPAA Rules. Three Democrat lawmakers, Reps. Brian Renegar, Chuck Hoskin, and David Perryman, wrote a letter to Oklahoma Governor Mary Fallin expressing their outrage at the integrity of medical records of US veterans being risked in such a manner. The lawmakers further called for the VA Executive Director Doug Elliot and the clinical compliance director Tina Williams to be fired over the alleged HIPAA violation.
The lawmakers claimed Elliot and Williams “have little regard for, and knowledge of, health care,” and allowing medical aides to access electronic medical records via personal smartphones was “a direct violation of HIPAA”. In addition to risking the security of the veterans’ protected health information (PHI), the lawmakers pointed out that the temporary measure placed millions of dollars of federal funding in jeopardy.
However, there is some dispute over whether a HIPAA violation occurred at all. State CISO Mark Gower states that as only a limited number of medical aides were allowed to access electronic health records using their smartphones, and access was only granted for a limited period of time until the problem was resolved, HIPAA Rules were never violated. He states that because access to the medical records was revoked as soon as the Internet at the facility was accessible again, the staff at the facility did nothing wrong.
To further his point, Gower explained that accessing medical records using a smartphone did not result in medical records being copied to the devices. The medical records system does not create a cache or store any information locally. Gower also said that the records system and the smartphones met the VA’s security requirements. Therefore, the integrity of the PHI was maintained at all times, and no veterans were at risk of their data being stolen and used for nefarious purposes.
The Democrat lawmakers do not believe Gower’s explanation is sufficient to justify his claim that a HIPAA violation did not occur. According to them, employees using their smartphones to access medical devices were allowed to copy medical records onto their personal cellphones. This occurred at all seven of the state’s veteran centers.
The VA Executive Director Doug Elliot said the medical aides were “the best and brightest” and that it was “Unfathomable that any of the med aides have disclosed that information to a third party.” He also said it was “unconscionable” for the legislators to suggest that VA employees had violated HIPAA Rules and patient privacy.
Although the controversy over whether a HIPAA violation occurred, the claim is being taken seriously by both sides. In order to resolve the issue, Elliot has reported the matter to the state’s IT security team. They shall conduct a full investigation into the manner in which the smartphones were used to access the medical devices and if they could indeed save copies the records. The Office of Management and Enterprise Services, which oversees IT for state agencies, is also looking into the allegations.
The Democrat lawmakers claimed that the case should be investigated by an independent party, and not a state agency. They suggest that the federal government is the only organisation capable of coming to an impartial conclusion. The legislators have also reported the matter to the Department of Health and Human Services, the Department of Veteran Affairs, and U.S. Attorney Robert Troester.
“The federal government’s going to be the one to determine this, not some state agency helping another state agency wash their hands of what they did,” said Rep. Renegar.