Health-privacy coalition seeks HIPAA review of VA

A coalition of consumer privacy groups in the health care industry is asking the U.S. Department of Health and Human Services (DHHS) to conduct a HIPAA compliance review of the Department of Veterans Affairs after a massive security breach was disclosed last week.

In a letter sent Wednesday to Health and Human Services Secretary Mike Leavitt, 30 privacy groups belonging to the Consumer Coalition for Health Privacy expressed their concerns about the recent theft of personal data at the VA.

The data, which included names, Social Security numbers and addresses belonging to 26.5 million veterans, also included protected health information such as medical diagnostic codes and disability ratings. The data was included in a laptop and disks that were stolen May 3 during a burglary at the home of a VA analyst who had improperly taken the data from the office.

The incident raises serious questions about the "nature and the extent" of violations by the VA of the security and privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the letter said.

"Regardless of how the data was stolen, who stole it and for what purpose it was taken, the fact that this individually identifiable health information was removed without authorization from a U.S. government facility is key and alone signals the need for a compliance review," the letter noted.

Paul Feldman, deputy director of the Health Privacy Project in Washington, which sent the letter to Leavitt on behalf of the 30 organizations, said the move was prompted by concerns that privacy violations may be widespread at the VA.