Veterans Affairs To Share Veterans’ Health Information Without Consent

Thousands of veterans were alarmed to learn VA is quietly rolling out is plan to automatically share veterans’ health information with third parties without written consent.

You got that right. Thanks to the VA MISSION Act, VA will now automatically enroll, or opt-in, all veterans into a health information sharing system with numerous government agencies and private organizations after September 30, 2019, unless you object in writing on a paper form.

Veterans must submit the VA Form 10-0484 in person or by mail to their local VA Release of Information office by of September 30, 2019, if they do not want to be “automatically enrolled” into the eHealth Exchange managed by The Sequoia Project.

Sound absurd? Here is what VA wrote in its Virtual Lifetime Electronic
Record (VLER) FAQ:

All Veterans who have not previously signed form 10-0484 as of September 30, 2019 will be automatically enrolled, but have the option to opt out.

Let me say that a third way in case I have not been clear.

VA will automatically share your health information with third parties without your written consent unless you opt-out in writing or submit a revocation in writing submitted in person or by US mail. You cannot submit your opt-out or revocation electronically.

How ironic, right?

In the name of technology, VA is about to force veterans into an electronic data sharing system without consent. The only way to prevent this violation is to present your objection on an agency mandated form ON PAPER by hand or snail mail by Monday. How old school.

And we are just learning about the deadline now.

In order to opt-out or revoke consent, there are a couple of forms you need to consider, noted above… but you only have until Monday to figure it out.

Curiously, the VA Form 10-10164 opt-out that is not technically an official form until October 2019 based on the available form.

One could argue that submitting the 10-10164 before September 30 may still result in a veteran’s automatic opt-in and then opt-out since the form may lack legal effect until October 2019.

So, the forms you can use to opt-out or revoke consent:

How do you get the form to VA? Can I send it on eBenefits or
fax it to Janesville Evidence Intake Center?

No. The agency requires that you either hand deliver the
signed form or mail it to the local Release of Information office at your VA Medical
Center by Monday.

No revocations will be processed after September 30, 2019. I
hope VA will not auto-opt-in veterans who submit the new form before the
deadline.

Either way, if you fail to take action by September 30, your
health information will be shared with the eHealth Exchange managed by The Sequoia
Project.

Good luck.

Once health information is shared, it cannot be unshared as
best I can tell from the information available including the old form.

This means meaning you lose control of your data. While you can possibly opt-out at a later date, whatever is shared is out there in the great and mysterious cloud for whatever hacker to access however and whenever they choose.

Who may get access?

The eHealth Exchange is a massive data-sharing system between federal agencies and private organizations in all 50 states that was originally controlled by the Department of Health and Human Services.

A nonprofit called The Sequoia Project took over management of the eHealth Exchange for “maintenance.” Many VA contractors and vendors are on the Board of Sequoia including Cerner and Mitre Corporation.

VA reassures us everything is safe. Right. Kind of like all
the times our data was illegally shared or hacked within the existing system?

“Rest assured. Your health information is safe and secure as it moves from VA to participating community care providers,” promises VA.

Believe them? We don’t, either.

We Drove To Minneapolis VA To Investigate

On Thursday, colleague Brian Lewis and I went to Minneapolis VA Medical Center immediately after reviewing what I describe below to confront agency officials about the highly questionable timing of the notice.

The Facebook Live video contains our initial impressions, which later evolved after we spoke with local officials and conducted an additional deep dive. Veterans who do not revoke consent/opt-out by September 30 will be enrolled automatically per the VLER FAQ.

We learned some inside baseball by asking around about it
and inspecting the facility. But, many of the VA officials we spoke with were
generally unaware of what VA Central Office was rolling out.

Our local Release of Information booth at Minneapolis VA did not have any of the forms available for veterans seeking to opt-out or revoke their previous consent. The attendant seemed to think her boss might bring some forms up sometime Friday or Monday since a few veterans were asking about it.

Fantastic.

Btw, you may have noticed my reference to “booth” about our ROI. In order to speak with someone at ROI, Minneapolis VA leadership decided to move the ROI intake to the open lobby area where anyone and everyone can hear about what you are asking about regarding your private health information.

So much for privacy when trying to get your private health
records.

For newbies reading this, Brian and I are veterans rights attorneys in the Minneapolis Metro who are well-known, but not well-loved, by VA officials locally and nationally.

I will explain the forms in a bit.

Back In The Day When Consent Was In Writing… And It Mattered

For years, VA was required secure informed consent from veterans prior to the sharing of health information. Whether you were a veteran trying to get care in the community or allow your attorney access to a claims file, you were required to provide VA with a release of information granting consent to share the date.

If you wanted to give VA your genomic information so they
could share it with private researching organizations for God knows whatever
reason, specifically the Million Veteran Program, you had to sign a form
granting permission.

If you wanted to opt in to allow your community care provider to use the health exchange to access your electronic health records, you need to sign the VA Form 10-0485. If you wanted to revoke that access, you needed to sign and submit the VA Form 10-0484.

There’s Gold In Those Records, Boys And Girls

To me, and millions of other veterans, this process seems
straightforward, but VA officials, university researchers, and private industry
really wanted more access to more veteran data since our electronic health records
comprise one of the most valuable datasets in the history of the world to date.

Yes, there is an incredible monetary value within the database containing all of our electronic health information, and private industry would profit handsomely from various marketing, advertising, and health solutions that could be developed by simply accessing our records.

Now, that access to our records comes at a cost. For at
least the past eight years, standard HIPAA requirements to de-identify records
no longer provide the security previously believed. Companies like Facebook
readily work to hack HIPAA protections using algorithms to connect HIPAA de-identified
data with a person’s Facebook profile using various markers including data like
that given by veterans to the Million Veteran Program, for example.

That data can then provide the backbone of entirely new research and advertising arm of companies like Facebook and Google to connect pharmaceutical ads with individuals who may be interested in the newest and greatest pill for anxiety or erectile dysfunction.

VA Throws Off The Heavy Yoke Of Privacy

Fortunately for business partners, researchers, and anyone
else who wants to access our data but not be troubled with difficult privacy
laws, VA will no longer have its research potential hamstrung by sentimental
laws like the Privacy Act or HIPAA.

Veterans can thank Congress and its passage of the VA MISSION
Act for allowing automatic access to all veterans’ health information by third
party community care providers and “partners.”

One of my readers alerted me to a change in protocol yesterday
starting with a PDF flyer circulating at VA.

That flyer, called the Veteran Notification Flyer, informs veterans of the five things we “need to know” about the VA’s new implementation of the health information mandate. I included this below in italics verbatim from the agency’s flyer.

You may be thinking, ‘Well, at least VA thought to give you
notice.’

Not exactly. I have not received any notice yet. However,
many veterans are writing in starting yesterday with notice letters that VA was
transitioning veterans into a new and brave system of data sharing.

The flyer was created September 11, 2019, informing veterans that in 20 days the process was flipping on its head where we need to opt-out after automatically being opted-in.

5 Things You Need To Know About Health Information
Sharing

If you are a little unclear about how to be sure no one
receives the health information, you are in good company. A lot of readers and
agency officials were unclear of exactly what is going on, and multiple dates
are floating around within VA’s own notices.

One page reads, “VA will begin opting all Veterans into
health information sharing, beginning January 2010.” Another page
reads, “VA Systems will begin opting all Veterans into health information
sharing, beginning January 2020.”

So, when did or will VA start the sharing of our health information
without consent?

An intranet notice to VA employees indicated the actual
process of sharing will start on or about November 18, 2019.

The VLER FAQ sheet probably provides the best advice
specific to veterans who do not want their data shared in the electronic system:

All Veterans who have not previously signed form 10-0484 as of September 30, 2019 will be automatically enrolled, but have the option to opt out. Beginning late 2019, a VA patient’s information will be shared with any community providers that also provide health care services for the shared patient.

“Revocation forms will not be processed after September 30,
2019. However, if you submit VA Form 10-0484, before September 30, your
preference will remain honored and no further action is needed by you.”

This language suggests the form must be submitted before
September 30, because the agency will stop processing them after September 30.

But how to do you revoke the consent that you never granted?

What is also important is the language difference between
the two forms.

Old VA Form 10-0484 vs New VA Form 10-10164

Let’s start with the new form, VA Form 10-10164. Basically,
the form says the agency cannot share your health information unless treatment
is required for an emergency:

So, the opt-out is not absolute. The form also indicates the
opt-in means all your health information can be shared for treatment.

What about your mental health records? How will VA protect
that data? Could that data also be shared with DHS or other organizations for
their own purposes?

The VA Form 10-0484 handles the issues differently.

First, it addresses that the signer revokes their previous
consent. Obviously, most of us never consented to this program. So, by signing
this 0484, can you preemptively revoke?

That is a question for your local Release of Information
Official.

The old form provides the following list about revocation
that I think is far clearer about what is at stake. Here is the list from VA in
italics:

One of the differences that jumped out at me in the old form was the promise that VA “will no longer share any of my individually-identifiable health information”. It did not qualify that revocation by stating the information will be shared in an emergency.

However, the revocation qualifies the health information by calling it “individually-identifiable health information” demonstrating the agency will share your information so long is it is de-identified. As noted above, merely adhering to HIPAA is no longer sufficient to protect your identity or other information that can be traced right back to you with today’s computing power.

What About Health Information Already Shared

The old 10-0484 says the information “already exchanged”
will continue to the used despite revocation meaning once the information is
out there, it is out there.

The health information being passed between VA and its
community care providers is supposedly shared in “guidance” with the Health
Insurance Portability Accountability Act (HIPAA) regulations.

Do we have enough information to make informed decisions?
Does VA seem to give a rip about our informed consent?

I plan to update this post as more information comes out. You may want to check back from time to time.

Stay informed on VA news, scandals and benefits. Get our daily newsletter via email.

This content was originally published here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.