In honor of Information Security and Privacy Awareness Week April 25-29, 2022, VA reminds you of the importance of handling sensitive personal information. With that in mind, do you know what to do if you receive another Veteran’s medical files in the mail? Or if you are at a VA waiting room and come across a misplaced DD-214 military service record that belongs to another Veteran? Here’s what you should do immediately: Report it!
What is a privacy incident?
Finding another Veteran’s military service record or ID or getting another person’s medical files in the mail is what’s called a privacy incident. These examples are accidental, of course. But technically, a privacy incident is any event that has resulted in, or has the potential to result in, unauthorized access to or disclosure of VA sensitive personal information. This includes personally identifiable information (PII) and protected health information (PHI), whether physical or electronic.
Suspected incidents that should be reported by Veterans include:
- Receiving through mail another Veteran’s sensitive information, such as medical records or benefit information.
- Visiting a VA Medical Center and seeing an unattended medical file.
- Hearing discussion of a Veteran’s PHI in a common area of a VA facility.
How can you report a privacy incident?
Veterans should always report suspected privacy breaches to their local VA Privacy Officer (PO). To locate your local Privacy Officer, you must contact your local VA facility. Visit the VA Privacy Service web page for more information. If it’s after business hours, Veterans should leave a message or send an email to firstname.lastname@example.org.
When reporting a suspected privacy incident, be prepared to provide the following information:
- Your name.
- The best phone number to reach you.
- Incident location.
- Date of incident.
- What was lost, compromised or disclosed?
- What happened?
- Was the information on a mobile phone or other electronic device?
- Was data encrypted if it was an electronic device?
- Was the electronic device turned on, and if so, was it password protected?
What is PII?
PII is information that can distinguish or trace an individual’s identity, either alone or when combined with other information linked or linkable to a specific individual. Examples of PII elements include name, social security number, biometric records, date and place of birth, and mother’s maiden name.
What is PHI?
PHI is considered a subcategory of PII. This term applies only to individually identifiable health information under the control of Veterans Health Administration, as VA’s only Covered Entity under the Health Insurance Portability and Accountability Act. PHI is health (including demographic) data transmitted by, or maintained in, electronic or any other form or medium. PHI excludes records of a person deceased for more than 50 years and some education records.
If you have any additional questions or concerns regarding your VA PII, contact your local PO or VA Privacy Service at (202) 273-5070.
Security incidents happen and it’s best to be prepared. So, feel free to bookmark this information should you ever need it in the future.