Recently, Veteran’s Affairs sent messages out to all registered personnel letting them know a new policy will be set in place as of January 2020. This policy will allow the VA to share your medical record with “participating community care providers” and they will not need prior written consent from you to do so each time.
The question that seems to be floating around most is- does this violate HIPAA? Well, it all depends on if the VA follows the HIPAA Security Rule to a ‘T.’ The HIPAA Security Rule is what covers the requirements for the transmission and implementation of health records electronically. An exerpt of the Security Rule on the U.S. Department of Health and Human Services’ website outlines the rule as:
“The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.4
The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.”
Since the VA statement says the “participating community care providers” will have access to their “Veterans Health Information Exchange” network, it kind of looks like they will be in the clear, again, as long as they ensure the above is followed exactly and monitored appropriately.
The Rule also states the VHIE has to be auditable, showing any changes made to a record. This is something you as a patient can request if you feel there has been a breach to your record. The Security Rule goes even further to say the entity (in this case, the VA) has to perform security checks and risk assessments regularly to ensure all e-PHI is still protected and safe.
The big thing the VA also mentioned in their notice about the share of information is that veterans can opt out of having their information shared, and opt back in at any time. Currently, there is not accessibility to do so online, so you will have to either mail the form, found on va.gov here, or you will need to physically go to your VA clinic. Sounds a little sketchy, but maybe it is to ensure fully ‘written’ non-consent, which would adhere to HIPAA regulations.
At first glance, it sounds scary- like they are able to share your information with whomever they want. But if you read up on the Security Rules they have to follow and click around on va.gov’s website, you will find they release exactly which offices and hospitals they are sharing with. They are a little loose with the verbiage on what specifically gets shared, but you can always request this information.
From what was researched, it looks like this information share is happening across more than just the VA and the goal is to provide a safe and secure method of electronically transporting your medical record to different locations. We all get frustrated over having to hand carry records and consistently having to explain what your previous diagnoses are, so one can only hope the VA plays by the rules.