Report | Aug. 25, 2021

Audit of the Department of Defense’s Controls on Health Information of Well-Known Department of Defense Personnel (DODIG-2021-106)

Audit

Publicly Released: August 26, 2021

 

Objective

The objective of this audit was to determine whether the DoD effectively controlled access to health information of well-known DoD personnel.

 

Background

The DoD maintains millions of electronic health records on its DoD beneficiaries, [REDACTED] DoD personnel who are granted access to health information to perform their official duties may access, without an official reason, a patient’s protected health information, such as medical diagnoses, mental health notes, medications, and personally identifiable information, such as a social security number. [REDACTED] which violates the personal privacy of the affected individuals.

According to the Health Insurance Portability and Accountability Act (HIPAA) and DoD guidance, all authorized users of health information must access only data that they are authorized to access, must have a need to know, and must assume only authorized roles and privileges.

We nonstatistically selected 38 well‑known individuals to determine whether their health information was accessed by an unauthorized health care official. We limited the review to individuals that became well‑known from a high‑media incident [REDACTED]. A high-media incident is when a large audience learns of an event through media communications, such as social media, broadcasting, or newspapers. We requested electronic health records access logs from the Defense Health Agency (DHA) in April 2020 for the selected DoD personnel. A total of 1,410 individuals accessed the health information of these 38 individuals. We nonstatistically selected 44 DoD personnel (viewers) that accessed the health information for 18 of the 38 well‑known individuals based on risk factors, such as a difference in locations of the viewers and the well‑known individuals, and information accessed immediately after high-media incidents. Afterward, we requested the applicable Military Department or the DHA provide a reason for why the selected viewers accessed the health information of the well‑known individual.

 

Finding

The DoD did not effectively control access to health information of well‑known DoD personnel and possibly of any DoD personnel, as exemplified by what we found regarding well‑known DoD personnel. Specifically:

  • 7 viewers were confirmed by the applicable DoD Components as authorized to access the health information;
  • 15 viewers were confirmed by the applicable DoD Components as unauthorized to access health information; these individuals violated HIPAA and DoD guidance; and
  • 22 viewers were not confirmed by the applicable DoD Components as authorized or unauthorized to access the health information of DoD well‑known personnel; however, the access was likely unauthorized.

 

Recommendations

We recommend that the DHA Director, in coordination with the Military Department Surgeons General:

  • perform a review of unauthorized and undetermined access of protected health information of all personnel identified in this audit, (2) based on the results, initiate appropriate disciplinary actions for individuals that were not authorized to access the information of all personnel, and (3) report the incidents in accordance with applicable laws and DoD guidance.

 

Management Comments and Our Response

The DHA Director partially agreed with the recommendation [REDACTED].

Although the DHA Director partially agreed, the comments provided addressed the specifics of the recommendation; therefore, the recommendation is resolved but will remain open. We will close the recommendation once we obtain documentation that shows the DHA [REDACTED]

The DHA Director agreed with the recommendation regarding the review of unauthorized and undetermined access and resulting disciplinary actions, and reporting of incidents. The DHA Director stated that the DHA is in the process of reviewing what we presented as unauthorized and undetermined access of protected health information of all personnel identified in this audit, and anticipates completion of the review this year. In addition, the Director stated that incidents found to be in violation of unauthorized access or disclosure, will be dealt with in accordance with applicable laws and DoD guidance.

Comments from the Director addressed the specifics of the recommendation; therefore, the recommendation is resolved but will remain open. We will close the recommendation once we obtain the results of the review, and verify the actions that the DHA Director takes fully address the recommendation.

 

This report is the result of Proj. No. D2020-D000AW-0037.000.