Dear VA Veteran Employees (this also includes contractors, VSO employees, work study/interns employed at VBA, and their families),
Take heed! Let no one deceive you. Be vigilant, particularly when it comes to protecting your private information. Your information is your property protected by law and anyone who does not have permission to view it – is a thief. If you are not familiar with how a veteran’s information is restricted and protected, I highly advise you to make some time to learn about it now.
Many of you wrongly believe that your co-workers and managers do not have access to the information contained in your C-file. I hate to be the bearer of bad news – but they do. Many of you wrongly believe that something in the computer software programs will deny them access. Many of you wrongly believe that some sort of alarm will ping in IT when an unauthorized person accesses your C-file. Many of you wrongly believe that the RACC restricts people from viewing your C-file. The RACC only restricts people from making changes to your C-file. Many of you wrongly believe that your co-workers and supervisors are honest people who would never access your information. Many of you wrongly believe there is a simple and efficient way to obtain recourse, such as through OSC, OIG, and the privacy officer. Many of you wrongly possess a lot of false assumptions. While it is understandable that you might think your C-file is protected due to the number of trainings you complete each year, these trainings help ethical people to do a better job at improving security. They do little good to deter someone who is inclined to ignore these warnings. I have no doubt that if one of your co-workers were caught he or she would be held accountable. However, I have little faith that if a manager or managers were caught snooping in veteran employee’s C-files that they would be held accountable. VA’s track record for holding managers accountable is very poor. The VA remains one of the top HIPAA privacy offenders. According to Deven McGraw, director of the Washington-based Health Privacy Project of the nonprofit center for Democracy and Technology, “It’s hard to argue against the notion that VA holds the dubious distinction of being the largest violator of the nation’s health privacy laws. Protecting the privacy of every American is important, but you would think that we would be very careful when it came to our veterans. They sure earned it.”
I am hopeful that there are more good and honest people working for the VBA than not, but to use faith alone is really rather foolish. It is your right to know who has been viewing your C-file. It is your right to obtain an unredacted accounting of disclosures (audit) of everyone who has ever accessed, viewed or queried your C-file. Further proof could come from directly observing your managers access your C-file. Stand over their shoulders and watch them pull up your digital C-file. The only way someone would not be able to view your C-file is if they did not have access to a particular security level. For example, if you are authorized to view security level 7 C-files then you could view C-files classified at security level 7 and below. Obviously anyone who does not have a security level 7 clearance would not be able to view C-files classified at security level 7 and above.
Additionally, the VA will no longer “protect” your C-file 3 years after your employment. If you happen to reside in the jurisdiction of the regional office where you used to work, the VA will not abide by the conflict of interest rule.
If you work on the health care side your C-file is classified at security level 6, expires 3 years after leaving employment, and does not receive RACC protection. Unlike VBA, your VHA records will always remained sensitized so you will be able to request an accounting of disclosures.
I recommend all VA veteran employees who use Veteran’s Health Care, but work for other VA departments or even for the state, county, contractors, or non-profits, to make sure you go in to see your VHA privacy officer to have your VHA health records sensitized as an employee – that is the only way the privacy officer can give you an accounting of disclosures.
The VHA side of the house is generally good about giving the disclosures within a few hours to a few days. However, not all Veterans Health care facilities are the same and you might run into some barriers. Although VHA’s computer system does not prevent anyone from accessing your VA health records – there is only a warning screen – an important part of protecting your private information comes from your diligence in monitoring who has been accessing your information. That means if the privacy officer delays in giving you the list or gives you problems, I recommend further investigating the issue. You can also request to be there when the privacy officer pulls up the information, because he/she must copy and paste it into an Excel spreadsheet and any line at that point can be deleted. Anyone who prevents you from watching the transfer of data should be viewed as highly suspicious. If you encounter problems in trying to improve the VA system you use, please let us know in the blog comments.
Make sure when you request the VBA accounting of disclosures of your C-file through FOIA that it spans all years (the entire age of you C-file) and all systems, making sure the list you receive has not been redacted. OIT is tasked with generating the data, but they do not give this list to an unbiased or neutral party before sending it to you. It will be screened by the director of the RACC or by the director of whoever has jurisdiction of your C-file. This is when the list gets scrubbed, because VA managers protect themselves. If you are as disgusted with this step as I am, please consider signing the petition and sharing. The only person looking out for your C-file is you. And if you are not looking out for your C-file, well then, no one is.
To learn more, as well as, to hear future podcasts about C-file security and privacy please go to www.heartlesshypocrisy.com