MEMPHIS, Tenn. — Just as the Department of Veterans Affairs works to rebuild its image and restore confidence with veterans and the public, WREG has learned the same men and women protecting our freedom aren’t getting the same protection at home.
Taking care of patients and protecting their privacy is what hospitals are suppose to do. The VA is no different. Yet the same agency that launched a program earlier this year to protect veterans from identity theft could be turning them into targets.
A more than six-month On Your Side Investigation reveals employees at the Memphis VA Medical Center constantly broke their own rules and violated veterans’ privacy.
From a list of patients with HIV laying out in the open and blood samples being sent to the wrong place, to data being collected on veterans without their consent, WREG found hundreds of violations.
Mary Littlejohn called the On Your Side Investigators with a complaint about privacy, but her story starts with what she describes as a lack of quality care at the Memphis VA.
“Horrible, horrible,” Littlejohn said.
She showed us a picture of her 83-year-old father, Bennie Earl Ward, that’s difficult to look at. He’s in the hospital bed, his gown has come off, and his frail body is exposed.
Littlejohn says Ward was admitted to the VA after a fall, unable to do anything for himself. She described what happened one evening she went to visit.
“I come up through the halls, heard someone screaming and hollering, needed help, needed help, needed to use the bathroom. Got closer, it was my daddy,” Littlejohn said.
Littlejohn says her father’s door was wide open, but they couldn’t get anyone to respond.
Ward simply needed changing after an accident. Littlejohn says after 20 minutes, she snapped a picture of her father and walked to the nurses’ station.
“I said, ‘How would you like to come in and find your father or family member looking like this and screaming and hollering?'” she recalled.
According to Littlejohn, the conversation escalated and nurses called the VA Police. She says they told her taking and sharing the picture was a HIPAA violation.
Littlejohn said, “I told them, ‘Look, that’s my father, I take a picture of my father anytime I get good and damned ready too.’ Excuse my language!”
Before Littlejohn called the On Your Side Investigators, we were already looking into similar concerns at the VA.
WREG filed a Freedom of Information request with the Department of Veterans Affairs in April of 2014. We wanted to know how the Memphis VA Medical Center was investigating and resolving privacy complaints.
After months of back-and-forth between Memphis and the Washington, D.C. office, in September, WREG obtained a report about privacy violations at the Memphis VA.
It covers a three-year period and more than 200 complaints, reports, and investigations into privacy breaches.
WREG spoke with a hospital employee too scared to reveal her identity for fear of retaliation. She too contacted the On Your Side Investigators about a potential HIPAA violation and other concerns at the VA.
“I’ve had managers look at my medical records,” she said.
The employee told us she’s not surprised by what we found. She says despite recent scrutiny regarding patient deaths and wait times, there are still numerous problems at the Memphis VA.
She said, “In some areas it’s better, but in other areas it seems to have gotten worse.”
The violations in the report range from employees snooping at patients’ medical records, to sending unencrypted emails containing sensitive patient information.
A number of times, staffers sent the wrong medication and letters to veterans. Employees also lost devices like laptops and smartphones with patient data on them. Patient lists were misplaced and left out in the open. Then there was a worker who used his government computer to look at porn.
On one occasion, a veteran went home with six different lab orders for other patients and a urine sample that wasn’t his.
There were cases where nurses and doctors spoke too loudly about patients’ conditions, like the veteran embarrassed when a worker told him to go to the health department for his STD.
We counted more than a dozen times where studies took place and some portion of the HIPAA authorization was handled incorrectly.
Not all complaints or investigations were considered a violation. Some were closed or dismissed due to a lack of cooperation, or simply weren’t valid.
In all, the VA mailed out more than 160 letters for credit monitoring and loss notifications in the three-and-a-half year period covered in the report.
WREG also found employees rarely face serious discipline for negligent actions that result in violations of hospital policy.
On most occasions, they are re-trained, or re-educated on HIPAA and VA policy. There were some cases where the Privacy Officer noted that the information would be sent to Human Resources and the employee’s manager for further action.
Some serious violations or breaches are reported to the VA Office of Inspector General. Congress also receives reports.
How does the VA stack up against other hospitals when it comes to privacy violations?
Tribune investigation reveals system-wide VA privacy violations.
“It’s not only in the VA system, but it’s a system wide problem,” University of Memphis Health Systems Management and Policy Professor Soumitra Bhuyan said.
Bhyan reiterated that privacy violations happen at hospitals all across the country.
Tennessee hospital system data breach compromises 4.5 million patient records
He says the key to preventing data breaches and privacy violations at any hospital is constant education for employees.
“You can have the policy on paper, but if you’re not enforcing as it should be then you are still at the risk of violating,” he said.
The employee WREG spoke with says she loves her job, but believes in order for real change to take place, there has to be an attitude adjustment from top to bottom at the Memphis VA Medical Center.
She says in some departments, morale remains low, and she feels there is no “open door” policy for employees to express concerns with upper management.
“They talk about this VA being one of the worst across the country and I don’t want to hear that because I take pride in where I work at,” she said.
Littlejohn says veterans like her father simply deserve better.
“Take care of these veterans, they served our country for us,” she said.
Administrators from the Memphis VA Medical Center refused WREG’s repeated requests for an on-camera interview. A spokesperson sent the following emailed response to some basic questions initially sent to the VA when requesting the interview:
How important is protecting the privacy of patients for the VA?
At the Veterans Affairs Medical Center in Memphis, Tennessee, confidentiality of health information of our patients is extremely important to us. We protect the privacy of patients’ health information. Its use or disclosure is only as authorized by law. Follow-up action to investigate or respond to any reported or potential privacy violation is conducted expeditiously.
What’s the overall protocol for putting privacy first?
The Memphis VA Medical Center complies with the Privacy Act of 1974 and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure security and confidentiality of patient information. Each employee receives privacy training upon being hired and is required to take the training annually thereafter. The Medical Center’s Privacy Officer conducts routine privacy monitoring. Privacy Compliance Assessment reviews of VA Medical Centers is conducted by Veterans Health Administration to validate compliance with current regulations.
When violations occur, how aggressive is the VA in making the necessary changes or adjustments to policies?
The Memphis VA Medical Center is committed to protecting the privacy of Veterans, their families and employees, and consistently reviews policies and information systems designed to protect private information to ensure immediate action is taken should the need arise.
Veterans Affairs recently launched a website about protecting veterans from identity theft. How is the staff and the Memphis VAMC encouraging this?
Posters on the Health Information Technology for Economic and Clinical Health (HITECH) Act and Privacy are posted throughout the medical center and in each work area. Ongoing education is provided to staff on the importance of protecting personally identifiable information and protected health information of patients.
Read summary or full report below. If you cannot see them click here and here and read the summary:
[googleapps domain=”docs” dir=”file/d/0B4OCrVy_AGD4TFdEZjZYZU9FV2c/preview” query=”” width=”100%” height=”480″ /]
[googleapps domain=”docs” dir=”file/d/0B842wMzj6tyvZzBQakxETnlfcVk/preview” query=”” width=”100%” height=”480″ /]
[googleapps domain=”docs” dir=”file/d/0B842wMzj6tyvUjladV95U05TTGM/preview” query=”” width=”100%” height=”480″ /]