VA Health Records Protocols Probed, Following Sexual Harassment Reports

A group of 50 Congressional members sent a letter to Department of Veterans Affairs Secretary Denis McDonough, after multiple reports of sexual harassment claims made by women veterans and employees. In particular, the group wants insights into protocols for health records access.

The letter was led by Reps. Katherine Clark, D-Massachusetts, Mark Takano, D-California, and Julia Brownley, D-California.

Driving the investigation is a 2020 VA Office of Inspector General report that found a woman veteran was subjected to retaliation after reporting she was sexually assaulted by a VA-contracted employee at the DC VA hospital.

The report revealed that VA officials sought damaging information about the veteran, in an apparent retaliation.

For the Congressional members, the incident raised several red flags as “the OIG was unable to determine whether anyone had accessed her medical record because her record hadn’t been sensitized to log this information.”

Another recent incident in Massachusetts showed a woman veteran was intimidated and sexually harassed by a supervisor from the VA’s National Call Center.

The supervisor improperly collected personal information from her VA medical records, then called the woman from his personal phone and made a range of threatening comments, among other abhorrent behaviors.

For the Congressional members, the concern is that the veteran remains in the dark about the safety and security of her private information -- as the employee transferred her data to his private phone.

“As alarming as this story is, it is sadly not an isolated incident,” the members wrote.

“It is absolutely critical for VA to move forward with implementation of Section 5303, creating a centralized reporting mechanism for VA beneficiaries and to designate sexual harassment and assault prevention coordinators, so that veterans know where to turn when subjected to degrading treatment when accessing care and benefits,” they continued.

Section 5303 of the Deborah Sampson Act (P.L. 116-315), requires the agency to implement a comprehensive anti-harassment and anti-sexual assault policy.

The centralized system is crucial to not only ensuring the safety of all veterans, but for identifying and addressing how this alarming circumstance continues to occur in the VA system, the Congressional members explained.

Recently, a 2020 Government Accountability Office report showed the VA’s workplace sexual harassment policies were inconsistent and incomplete, including a lack of centralized reporting mechanisms or resources of VA beneficiaries who report sexual harrassment or assault by VA employees or on VA property.

The group also expressed concern about the potential for retaliation, particularly around the broad access VA employees are given to the medical records of veterans in the VA system -- without a demonstrated reason to do so as part of their role.

In light of these alarming incidents, the Congressional members are requesting insights into VA policies and procedures, including the protocols in place across the agency that would prevent unauthorized access to veterans’ protected and private personal information.

The VA must provide details on its privacy policies around mental health records, medical imaging, disability claim information, and all other personal data.

The members also want to know which employees can access VHA mental health and medical records, such as whether a scheduler can access personal medical and mental health records at will -- and without cause.

The group asked the VA Secretary to provide details on: whether the VA system logs when an employee accesses someone’s medical records and the specific record accessed and how it’s determined that an employee can access a record, “as the Department of Defense does for mental health progress notes, before allowing entry.”

Further, the members want to know why access logging isn’t turned on for everyone’s records and how veterans’ personal information is classified and protected from unauthorized access.

The VA was asked to shed light on what resources the agency needs to develop a centralized data supporting system to catalogue data on sexual harassment and assault complaints, as required by Section 5303 of the Deborah Sampson Act, as well.

Lastly, the members want to know how the VA cooperates with local law enforcement when a possible crime is committed.

“The persistence of any conditions which leave veterans at risk of intimidation, sexual harassment, and assault falls far below the standard of care we expect from the VA,” the group wrote.

“We commend you for your comments during your confirmation hearing that you would ‘try to set a culture that underscores that such activity will not be tolerated,’ and we trust that you will work urgently to address the longstanding systemic and cultural problems at the VA,” they concluded.

The VA was recently under fire, after an OIG report found several employees hid and falsely represented privacy and security risks posed by a future AI project with a health vendor in 2016. The contract was pulled before health data was shared.

Agency watchdogs have previously found privacy and security risks following the data breach of 46,000 veterans and providers, as well as medical device protocols at a California VA Medical Center.