Does the Veterans Administration need to be HIPAA compliant?

The Veterans Administration (VA) is a U.S. government agency responsible for providing services to military veterans. The VA itself is made up of many parts each operating with different forms of information and compliance requirements. In the context of HIPAA, the VHA acts as an organization handling the medical information of veterans and at times their families. It is the VHA as part of the VA that needs to be HIPAA compliant. 

Differentiating between the VBA and the VHA

The Veterans Benefits Administration (VBA) and the Veterans Health Administration (VHA) are two major parts of the VA. 

The VBA primarily handles benefits like disability compensation, pensions, and education assistance. Most of these activities do not involve direct medical care or the type of health transactions covered by HIPAA. Therefore, as stated by the VA Advisory Opinion on HIPAA, “...it seems clear that certain components of VBA are not covered entities.” This means its operations don’t fall under the strict HIPAA rules that apply to the VHA. However, the VBA still has to protect personal information under other laws like the Privacy Act of 1974.

The VHA provides medical care to veterans. It includes everything from routine check-ups to surgeries and long-term treatments. The same VA Advisory Opinion provides, “The Veterans Health Administration (VHA) is designated a health plan to care provided or paid for under Chapter 17 of title 38, United States Code. 42 U.S.C. § 1320d(5)(J). VHA's treatment activities also satisfy the definition of a covered health care provider.” Its status means the VHA must follow strict rules to protect veterans' health information.

Information sharing between the VHA and VBA

The VBA doesn't provide medical care. Instead, it manages benefits like disability compensation and pensions. However, to determine eligibility for these benefits, the VBA sometimes needs medical information from the VHA. 

The VHA can share medical information with the VBA without a veteran's written permission under certain conditions. This is allowed because of a special rule in HIPAA, specifically at 45 C.F.R. § 164.512(k)(1)(iii). This rule says that if the information is needed to assess eligibility for VA benefits, the VHA can share it.

Here’s what happens:

• The VBA requests medical records from the VHA. This request is usually part of a process to determine if a veteran qualifies for benefits like disability payments.
• The VHA reviews the request. They make sure it’s valid and only share the information that is necessary for the VBA’s decision-making process.
• The information is transferred securely. Both the VHA and VBA use secure systems to ensure the data is protected during transmission.
• Once the VBA receives the information, it uses it strictly for determining benefits. The VBA does not use this information for any other purpose without further authorization.
  
  

When is HIPAA compliance required?

As the VHA operates hospitals, clinics, and medical facilities, it is continuously required to adhere to HIPAA regulations to ensure the privacy and security of Protected Health Information (PHI). At the heart of HIPAA compliance within the VHA is the handling of medical records. Any time staff access, update, or share a veteran's medical records, HIPAA's privacy and security rules are in full effect. The interactions between the VBA and VHA relating to veteran benefits also need to remain complaint as long as PHI is involved. 

HIPAA compliant practices in the VA

A VA directive on the handling of PHI amongst VA business associates and the VHA provides insight into the commonplace practices and policies applied by the VA. 

These policies include: 

Compliance with HIPAA rules

1. Privacy Rule: This rule mandates the protection of individually identifiable health information. It sets standards for how PHI should be used and disclosed, emphasizing the need for patient consent and the minimum necessary use to achieve specific purposes.
2. Security Rule: It requires the VHA to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and security of electronic PHI.
3. Breach Notification Rule: This rule requires the VHA to provide notification following a breach of unsecured PHI. This includes notifications to affected individuals, the HHS, and in certain circumstances, to the media.
   
   

Business associate agreements (BAAs)

The directive requires all VA components that qualify as Business Associates of the VHA to enter into BAAs. These agreements ensure that these associates comply with HIPAA standards when handling PHI and EPHI. The BAAs outline the responsibilities of the Business Associates concerning the protection and confidentiality of PHI.

Roles and responsibilities

1. Office of the Assistant Secretary for Information and Technology: This office, acting as a Business Associate, is tasked with implementing policies and procedures required under the Security and Privacy Rules of HIPAA. They oversee the protection of all personally identifiable information (PII), including PHI.
2. Deputy Assistant Secretary (DAS) for Information Security: Develops policies that require compliance with privacy and records management laws across the department.
3. Director, Office of Privacy and Records Management (OPRM): Acts as a liaison for privacy policy compliance and advises on effective privacy controls for VA information systems.
4. General Counsel: Provides legal opinions and advice regarding compliance with applicable laws and regulations concerning privacy and security issues.
   
   

Training and awareness

All personnel within the VA who handle PHI are required to undergo training in HIPAA compliance. It allows all employees, contractors, and subcontractors to be aware of the regulations and understand how to handle PHI appropriately to avoid violations.

Monitoring and enforcement

The VHA conducts periodic reviews to ensure compliance with HIPAA. These reviews help identify any areas of non-compliance or potential improvement, ensuring that all practices meet federal requirements.

Incident management

In the event of a suspected or actual PHI breach, the VHA has established protocols for incident response. It includes immediate reporting, assessment, containment, and mitigation strategies to prevent further unauthorized access or disclosure.

Data incidents relating to the VA

In March 2024, the Orlando VA Medical Center experienced a data breach when a departing employee sent documents with sensitive veteran information to their personal email. This breach affected 10,059 individuals, exposing data such as Social Security numbers, names, and contact details. In this case, the unauthorized sending of veterans' sensitive data by a former employee shows a failure to meet these HIPAA requirements. 

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

Are family members of veterans covered by HIPAA at the VA?

Yes.

What services does the VA provide besides healthcare?

Besides healthcare, the VA offers benefits like disability compensation, education assistance, home loans, and life insurance to veterans and their families.

Can veterans access their health information held by the VA?

Yes.