Audit: VA testing program failed to follow privacy rules

FedScoop reports that the Department of Veterans Affairs Office of Inspector General found that the Veterans Health Administration's national cancer testing program had at least one project that did not comply with required security and privacy procedures.

According to the watchdog report, the HIPAA privacy and security requirements were not followed when sensitive data was handled during a collaborative research effort. In 2022, a VHA research director created and shared a file containing electronic health record reports and "a significant amount" of protected health information with non-VHA investigators without institutional review board approval or de-identification. The report also cited missing audit logs that should have tracked the secure management of electronic PHI.

Investigators did not confirm allegations that senior leaders ignored the incident but noted delays in reporting the issue and failure to consult required experts. Initial mitigation steps did not address privacy risks, though a later plan included removing PHI, clarifying research processes, and improving staff training. The OIG issued six recommendations, which the VA agreed to follow.