(Getty Images / iStockphoto)
(Getty Images / iStockphoto)
After veteran Aaron Alexis shot and killed a dozen people at the Washington Navy Yard last September, the Air Force noted a spike in the number of personnel dipping into his electronic medical file.
The snooping — illegal under the Health Insurance Portability and Accountability Act, or HIPAA — was so pervasive that it prompted Air Force Medical Operations Agency Director Brig. Gen. Sean Murphy to issue an Air Force medical command reminder of policy and law.
In the Oct. 21 memo obtained by Military Times, Murphy called the illicit peeks a “violation of the most fundamental trust our patients place in us every day. Breaches of this nature are clearly in violation and are plain and simply wrong.”
But with digital medical records now widely used in federal and private health facilities, such breaches are on the rise, from one-time looks by unauthorized individuals to the jaw-dropping unauthorized breach of 4.5 million Tricare records in 2011 — still the largest compromise of health information recorded since reporting requirements were changed in 2009.
Thousands of physicians, health care officials and contractors have access to the nearly 19 million medical records held by the Defense and Veterans Affairs departments.
In 2010 and 2011, the total number of instances of illegal snooping was relatively low, eight one year and 11 the next. But in 2012, HIPAA violations reported to DoD jumped four-fold, and remained almost as high last year.
Those numbers likely do not reflect the full scope of the problem. Defense Health Agency spokesman Kevin Dwyer said the data reflect only HIPAA complaints filed directly to defense health officials and those submitted by the Health and Human Services Department.
Some HIPAA complaints are handled by the individual services, and even individual military treatment facilities — levels “that we do not or cannot oversee,” Dwyer said.
When Military Times asked each service surgeon general’s office for the number of HIPAA violations, complaints or requests for medical record audits by patients, the requests all were forwarded to DHA.
Among the breaches that reached at least one service secretary involved former Air Force Tech. Sgt. Cloria Smith, whose HIPAA violation may have gone unnoticed if she hadn’t sought an audit.
Smith, a certified respiratory therapist employed by VA at David Grant USAF Medical Center, Calif., was hospitalized for two days last June at that facility.
When she returned to work, she began experiencing harassment from several co-workers, who often whispered behind her back or laughed at her in the hallway.
The behavior change was so noticeable that she requested a HIPAA audit — a formal report containing the names of anyone who accessed her records during her hospital admission, as well as times of access and reason.
The review found that three co-workers, all active-duty airmen, had peeked at her files: two in the early morning hours of June 4 and the other, three times in the afternoon. None of the three was involved in her treatment or care.
She complained to officials at David Grant, the 60th Medical Support Squadron, HHS and the Office of the Secretary of the Air Force.
“People have asked why I didn’t just let it go, but I can’t. I don’t want anyone else looking in my records,” Smith said.
She received a letter from Lt. Col. Mark Nassir, 60th Medical Support Squadron deputy commander, expressing regret and apologizing for “any inconvenience and concern” the incident may have caused.
The letter advised her to put a fraud alert on her credit file and said the investigative report had been turned over to the unit’s squadron commander for “consideration of further action.”
According to Smith, one of the offenders has since left the unit, one moved to another shift and the third continues to work with Smith, seemingly without reprimand.
“I’m angry and frustrated,” Smith said. “Where is the integrity?”
By law, breaches involving more than 500 records must be reported to HHS and the news media. But individual incursions may never see the light of day unless a patient requests a HIPAA audit.
The vulnerability of medical records concerns Tricare beneficiaries like retired Air Force Maj. Ken Burgess, who said his information has been compromised twice: once in a Tricare data breach and another involving a laptop theft at VA.
Burgess said his concern is that in most cases, Tricare uses Social Security numbers to identify patients, leaving that critical, personal information open to abuse.
“You don’t know how many people are touching this number,” he said. “And once they have it, they can steal your identity.”
Individuals who suspect their records have been accessed illegally can request an audit from the HIPAA specialist at their military medical center or civilian provider.
By law, medical and insurance personnel, health administrators and others may access these records only in “performance of official duties” and only as often as needed to treat a patient or conduct official business.
Air Force officials say they take all allegations of HIPAA malfeasance seriously and “each breach is reviewed and appropriate action evaluated for that particular incident.”
Lt. Col. Mark Meersman, chief of the Air Force Medical Support Agency health benefits branch, and Dawn Morgenstern, HIPAA privacy program manager, said the service has a layered, comprehensive system for addressing HIPAA.
“Under the HIPAA privacy program, actions are taken immediately upon becoming aware of a potential or actual breach,” the two said in a written statement to Military Times.
According to Air Force data, the service logged 228 allegations of HIPAA incidents in 2013, but not all have been substantiated, and of those that were, not all were egregious enough to be considered a breach.
In his memo, Murphy reminded commands to ensure all personnel with access to medical records understand that inappropriate access to protected health information “will be punished or prosecuted.”