- Two branches of Oklahoma’s government are embroiled in a controversy over whether the Oklahoma Department of Veterans Affairs committed a HIPAA violation when it allowed VA medical aides to access patient medical records using their smartphones during an internet outage.
On July 25, a scheduled internet outage prevented aides at VA centers in Norman and Lawton from accessing patient medical records. To cope, department officials allowed the aides to access the medical records system using their smartphones.
In a letter to Republican Governor Mary Fallin, three Democratic state lawmakers argued that the decision to allow access to medical records using smartphones was a “direct violation of federal HIPAA regulations,” The Oklahoman reported Aug. 8.
Reps. Brian Renegar, Chuck Hoskin, and David Perryman warned that the alleged HIPAA violation “could jeopardize the millions of federal funding dollars coming to our Oklahoma veterans.”
The lawmakers called for the firing of two officials — Veterans Affairs Executive Director Doug Elliott and Clinical Compliance Director Tina Williams.
“This occurred because Elliott and Williams have little regard for, and knowledge of, health care,” they told Fallin.
The state Chief Information Security Officer Mark Gower disagreed. In a memo issued in response to the letter, he said that the practice did not violate any federal or state privacy laws, The Oklahoman reported Aug. 9.
Gower determined that the access was secure and limited to a small number of authorized VA personnel.
“The (records system) does not store a local copy of data on the device when it is accessed and it does not cache data on the device, meeting security requirements,” Gower wrote in a report submitted to Elliott.
The department had asked the state to investigate the incident in response to the lawmakers’ letter.
Responding to the letter, Elliott said in an interview that the employees were given temporary, password-protected access to medical records using their smartphones to ensure that VA residents received medication during the internet outage.
“Managers were never told to copy medical records to anything because that denotes something sinister, that you're going to use those later for your own use,” Elliott said.
“These folks were given access, remote access, and they used their cellphones for that access, just like they would any computer or smartphone or laptop. As soon as the problem reverted itself, that remote access was shut off.”
Elliott added, “It is unfathomable that any of the med aides have disclosed that information to a third party.”
“While I do not believe these allegations have any merit, I have reported them to the state's IT security team for a full investigation into this matter,” Elliott said in a news release.
A spokesman for Gov. Fallin, Michael McNutt, said that the VA was “treating the issue with the seriousness it deserves in the most transparent way possible.”
The lawmakers were unconvinced by Gower’s conclusion. “The federal government's going to be the one to determine this, not some state agency helping another state agency wash their hands of what they did,” said Rep. Renegar.
“I don't care who from a state agency gets up and says they didn't do anything wrong. It's not a state issue, it's a federal issue, and we'll find out.”
The lawmakers have forwarded their concerns to HHS, US Attorney Robert Troester, and the US Department of Veterans Affairs.
In an interview Aug. 9, Elliott praised his employees for switching to mobile access during the computer outage, saying it allowed hundreds of patients to continue receiving crucial medications. He said 150 VA employees registered for medical privacy training after the incident was scrutinized this week.
Elliott criticized the Democratic legislators who raised the issue, calling it “unconscionable” for them to suggest VA employees violated privacy laws.
“It's an environment of no tolerance, and it's clearly motivated by something other than caring for veterans,” Elliott concluded.