VA weighing steps to protect medical records

Troubling audit results have prompted the Veterans Health Administration to consider awarding an agencywide contract for transcribing medical records.

A report released earlier this week by the Veterans Affairs Department's inspector general revealed that a transcription subcontractor in India threatened to release the medical records of 30,000 veterans over the Internet in 2005, amid a dispute over payments. The report came on the heels of a department data breach last month that compromised the personal information, including Social Security numbers, of 26.5 million people.

Jonathan Perlin, VHA health undersecretary, concurred with the IG findings and recommendations, and said standardizing contracts for transcription could help protect patient medical information.

A report on the feasibility of a nationwide transcription contract and rollout of speech-recognition technologies is expected from the agency's Prosthetics and Clinical Logistics Office Oct. 1. A VA spokesman said the agency is using speech-recognition technology more often to enter text summaries into patients' electronic health records.

The department also has inserted language into its business agreements forbidding the transfer of veterans' health information outside the United States, and is providing additional training to improve oversight of contractors, Perlin said.

The medical records incident came to light when, beginning Feb. 23, 2005, the subcontractor sent the IG's Hotline Division e-mails claiming that a U.S.-based contractor failed to pay more than $28,000 for transcribing medical records. The subcontractor threatened to release data from five VHA facilities onto the Internet if it didn't receive payment.

The IG report did not give the name of the contractor, the subcontractor or the VHA facilities involved.

A VA spokesman said the contractor provided the medical information to the subcontractor without the agency's knowledge or approval. Aggressive action was taken to ensure that the contractor paid the subcontractor and that the records were destroyed.

But the IG report stated that there was no way of validating that the patient records were actually destroyed, or of knowing whether other offshore subcontractors or individuals possessed such records.

The VHA held 147 medical transcription contracts with 43 companies, worth a total of $30 million, in fiscal 2004, according to the report. That year, the agency spent another $16 million on salaries for in-house transcription-related jobs.

The IG estimated that $6.2 million could be saved if VHA facilities uniformly negotiated for transcription services at the lowest rate currently paid for the various contracts.

The report also found that 113 out of 129 VA facilities surveyed failed to remove patients' personal identifiers before allowing contractors to access the information and 82 contracts did not limit access to VHA data at contractor facilities.

Seventy contracts lacked requirements that the transcription services take place in the United States, and 45 failed to specify requirements for erasing VHA data from contractor computers.

The incident has raised the ire of several members of Congress concerned about the agency's lack of controls of sensitive data after last month's massive breach involving the theft of personal information on many of the nation's veterans and military service members from the home of a VA employee.

"VA must change its culture and make information security a priority of the highest order," said Rep. Michael Michaud, D-Maine, ranking member of the House Veterans' Affairs Subcommittee on Health. "I do not support veterans' private medical information being handled by third-party contractors operating overseas."

Michaud said VA has less control over offshore contractors, which are not necessarily subject to and may not recognize the Health Insurance Portability and Accountability Act, or other U.S. privacy laws.

Rep. John Salazar, D-Colo., with the support of 45 co-sponsors, has introduced legislation (H.R. 5588) that would require VA to implement stronger data security procedures and to provide identity theft services to veterans whose personal information is at risk because of last month's breach.