You have an email! And it’s not yours.
In honor of Information Security and Privacy Awareness Week April 25-29, 2022, VA reminds you of the importance of handling sensitive personal information. With that in mind, do you know what to do if you receive another Veteran’s medical records in the mail? Or if you’re in a VA waiting room and come across a misplaced DD-214 military service record that belongs to another veteran? Here’s what you need to do immediately: report it!
What is a confidentiality incident?
Finding another veteran’s military service record or ID card or receiving another person’s medical records in the mail is called a privacy incident. These examples are accidental, of course. But technically, a privacy incident is any event that has resulted in, or has the potential to result in, unauthorized access or disclosure of sensitive VA personal information. This includes personally identifiable information (PII) and protected health information (PHI), whether physical or electronic.
Suspected incidents that should be reported by Veterans include:
- Receive sensitive information from another Veteran, such as medical records or benefit information, by mail.
- Visit a VA medical center and see an unattended medical record.
- Hearing a veteran’s PHI discussion in a common area of a VA facility.
How can you report a privacy incident?
Veterans should always report suspected privacy breaches to their local VA Privacy Officer (PO). To locate your local Privacy Officer, you should contact your local VA Center. Visit the VA Privacy Service webpage for more information. If it is after hours, veterans should leave a message or email [email protected]
When reporting a suspicious privacy incident, be prepared to provide the following information:
- Your name.
- The best phone number to reach you.
- Location of incident.
- Date of incident.
- What was lost, compromised or disclosed?
- What happened?
- Was the information on a mobile phone or other electronic device?
- Was the data encrypted if it was an electronic device?
- Was the electronic device turned on and, if so, was it password protected?
What is PII?
PII is information that can distinguish or trace the identity of an individual, either alone or when combined with other information that is or can be linked to a specific individual. Examples of PII items include name, social security number, biometric records, date and place of birth, and mother’s maiden name.
What is ISP?
PHI are considered a subset of PII. This term applies only to individually identifiable health information under the control of the Veterans Health Administration, as the only entity covered by VA under the Health Insurance Portability and Accountability Act. PHI is health data (including demographic data) transmitted or stored in electronic form or in any other form or medium. Private health insurance excludes records of a person who has been deceased for more than 50 years and some school records.
If you have additional questions or concerns about your VA PII, contact your local PO or the VA Privacy Department at (202) 273-5070.
Security incidents happen and it’s best to be prepared. So feel free to bookmark this information if you need it in the future.