The Veterans Affairs Department is wrestling with how to let physicians securely use popular external sites that enable them to store patient data online, such as Google and Yahoo, while ensuring that veterans' health information is adequately protected.
VA does not allow its clinical personnel to use Internet-based commercial storage sites because information kept outside of the protection of the department's systems is considered a privacy breach, said Roger Baker, VA's CIO.
"I love the tools. I just wish I could control what's stored on them," he said Dec. 22 at a briefing with reporters about VA's monthly report to Congress about potential data breaches.
One of the incidents reported in November was at the orthopedic department in the Chicago VA hospital, which maintained a shared scheduling calendar on Yahoo.com of almost 900 patients with their surgery dates, type of surgery and partial Social Security numbers.
Although the account was password-protected, it contained personally identifiable information and was beyond VA's control, so it represented an information breach, Baker said. VA has since shut down the account and sent notification letters to the affected patients.
VA reported a similar incident in September related to physicians using Google Docs, another widely used tool that enables multiple users to collaborate on activities.
Physicians and residents from medical schools who deliver care at VA and other hospitals accessed the external Web site to enter notes about their patients' care so they would not forget the details, Baker said. Residents also wanted to document what role they have played in a variety of procedures for their certification.
Similar incidents will continue to occur because of the popularity of these categories of tools and despite privacy training.
"These are great tools for patient care, and right now as the CIO my position has to be you can't use them," Baker said.
"We're spending a lot of time trying to figure out how to go from saying no to saying yes for these kinds of applications," he said. "We have to figure out how to embrace those and at the same time be sure that we are providing the privacy and health information protections that we're committed to doing."
Healthcare providers are doing what they believe is appropriate under the Health Insurance Portability and Accountability Act (HIPAA), "but our rules are tighter than that," he said.
