"The fact that this individual removed protected information from the workplace over a period of three years leads us to wonder if this is a common practice at this unit of the VA or even more broadly," across the organization, he said.

"The VA is a covered entity under HIPAA, and the fact is the DHHS is the authority to undertake a review of their data security and privacy practices," he said.

The letter cited the obligations of covered entities to protect health data against "reasonably anticipated" threats under HIPAA. It noted that HIPAA's security rule gives covered entities the flexibility to implement security controls that are proportionate to the size, complexity and capabilities of the organization. "Clearly, the VA should be held to the highest standards in this regard," the letter said.

In calling for Leavitt to undertake an immediate HIPAA compliance review at the VA, the letter said, "We believe your review may well give rise to a finding that the assessment of civil and criminal penalties to the VA is appropriate."