In recent years there have been dramatic increases in identify theft and the misuse of personal information. The public is concerned about how its information is collected, used, and maintained.
We at the Department of Veterans Affairs (VA) understand and appreciate the trust Veterans place in us to provide them with healthcare and benefits. We realize this trust is based on our ability to protect the privacy and security of their personal information.
In 2002 VA established a central organization, VA Privacy Service, to oversee and support all privacy efforts within VA, protect the privacy of Veterans’ and employees’ personal information, and ensure all privacy laws are adhered to throughout VA. VA Privacy Service develops the programs, products, and VA-wide policies centrally, which are then implemented locally by facility-level Privacy Officers (POs) around the country.
What is privacy? How does it differ from security?
Although mentioned together in many contexts, security and privacy are different.
- Privacy represents “what” must be protected. It covers the collection, use, and disclosure of personal information.
- Security represents “how” information must be protected. It encompasses the methods for accessing and protecting the personal information.
What are the privacy requirements with which VA must comply?
There are many Federal laws and regulations that address privacy and the collection, use, and disclosure of personally identifiable information (PII). The two most important are the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act (HIPAA). Veterans should understand what rights they have under these laws.
Privacy Act of 1974: This covers how the Federal government, including VA, collects, maintains, uses, and discloses personal information. It covers all personal information maintained in Agency system of records, not just health information, and requires notice and consent for information collection.
HIPAA: HIPAA regulations, such as the HIPAA Privacy Rule, expand existing privacy protections and standardizes them for public and private health care facilities, which includes the Veterans Health Administration (VHA).
Under both laws, you are allowed to:
- Access, review, and obtain copies of records that the Federal Government maintains about you, including medical records;
- Request an amendment to records that are incomplete, inaccurate, untimely or irrelevant; and,
- Obtain an accounting or list of disclosures of information about you.
In addition, the Privacy Act of 1974:
- Creates a code of “Fair Information Practice Principles” (FIPPs) that mandates how the Federal Government, including VA, maintains information about you; and
- Restricts disclosure of PII that is maintained by the Federal Government, including VA. (Information can only be disclosed under certain situations permitted by law. Otherwise, information cannot be disclosed without your prior written authorization.)
In addition, the HIPAA Privacy Rule requires that VHA provide:
- A copy of VHA’s Notice of Privacy Practices. You can obtain a copy of this notice from your local VHA health care facility, or download the notice at https://www.va.gov/vhapublications/ViewPublication.asp?pub_ID=3147
- The right to request a restriction that VHA not use or disclose your protected health information (PHI) in certain situations.
- The right to request to receive your health information through confidential means.
In general, VHA must have written authorization to use and disclose PHI. However, authorization is not required in certain circumstances:
- Treatment,
- Payment,
- Healthcare operations,
- Eligibility and enrollment for VA benefits,
- Dealing with family members or others involved with your care (with limitations); or
- Other uses as required by law
Also, the HIPAA Privacy Rule requires that VHA has written privacy procedures, designated Privacy Officers, and privacy training for all employees and contractors.
Even if a VA employee does not handle patient medical records or work in a VA hospital, that employee may have direct or incidental access to employee, Veteran, dependent, or beneficiary personal information. As a result, that employee must protect this information.
Our employees know they must exercise care not to disclose information inadvertently. They know discussing Veteran or employee information in public or private with employees, family, friends, or others who have no “need to know” is a privacy violation.
What does VA do to comply with privacy requirements?
Policy
VA reviews and updates its Directives and Handbooks to ensure that they reflect the most recent changes in Federal law and regulatory guidance.
Awareness
VA ensures that all employees and contractors understand their privacy and security responsibilities to protect the confidentiality of Veterans’ personal information in all forms – electronic, paper, and verbal.
Training
VA requires annual mandatory privacy awareness training for all employees and contractors. In addition to the mandatory privacy awareness training, employees with access to protected health information must also take additional privacy training on an annual basis. Examples of your personally identifiable information that VA protects:
- Social Security Numbers
- Date and Place of Birth
- Email Addresses/Street Address
- Biometric Records
- Veterans Benefits Administration Claim/File
- Numbers
- Medical Information
- Employment Information
- Education Information
- Financial Information
- Beneficiary Information
- Dependent Information
- Federal Tax Information
What are the penalties?
- If a VA employee or contractor violates privacy requirements, the individual may face disciplinary action up to and including termination, criminal and/or monetary penalties for each violation.
- If you are concerned that your privacy rights have been violated, you may file a complaint by contacting your VA facility Privacy Officer or, the VHA Privacy Office, or VA Privacy Service.
NOTE: In general, VA does not call Veterans and ask them to disclose or confirm personal or financial information over the phone. If you have any questions or concerns, please contact your local VA facility or call the VA Health Benefits Call Center at 1-877-222-VETS (8387).
