VA watchdog finds data privacy lapses in cancer testing program
The national cancer testing arm of the Veterans Health Administration failed to follow security and privacy protocols on at least one project, leading to the sharing of protected health information (PHI) with investigators outside the VHA, according to a new watchdog report.
In a report released Thursday, the VA’s Office of Inspector General said its investigation into the VHA cancer program found individuals involved in the research process violated HIPAA privacy laws and security rules when handling PHI.
The national cancer testing program relies heavily on data collection to understand the disease, with researchers using genomic data to analyze tumor genetic structure. To access VHA data sources, agency researchers must follow protocols that include institutional review board (IRB) approval and de-identification of data to protect patient privacy, according to the OIG.
In one instance in 2022, a VHA research director created a data file containing electronic health record reports and PHI for use in a collaborative project with non-VHA investigators, without IRB approval, the watchdog said. This file contained a “significant amount of PHI,” the report stated.
“By sharing the data file with non-VHA investigators without deidentification or authorization, VA did not follow the requirements of the Privacy Rule or the requirements of HIPAA. In addition, data audit logs used to validate the secure management of electronic PHI were not maintained, as required,” the report stated.
The OIG did not find sufficient evidence to support the allegation that the executive director of operations and the research and development privacy officer for the cancer program failed to take any action in response to the concerns.
Instead, the watchdog found the privacy officer connected with research program leaders but did not report the event to another privacy officer for another two weeks. They also failed to consult subject-matter experts, as required, to review the information in the data file, the watchdog further found.
When approached by the OIG about the security lapse, the executive director of operations’ initial mitigation plans did not address privacy issues or testing program processes. Two months later, a final mitigation plan was submitted with details “determining when projects move from operations to research, removing PHI from projects, and ensuring staff complete training.”
The watchdog made six recommendations, including establishing safeguards, with support from biostatisticians, to ensure that data containing sensitive patient information and PHI is de-identified before sharing outside the agency.
The VA concurred with the recommendations.
