HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OIG: Two VA Employees Concealed Privacy and Security Risks of a Big Data Project

Two members of the Department of Veteran Affairs’ (VA) information technology staff are alleged to have made false representations about the privacy and security risks of a big data AI project between the VA and a private company that would have seen the private and confidential health data of tens of millions of veterans fed into the AI system.

An administrative investigation was conducted by the VA Office of Inspector General (OIG) into a potential conflict of interest related to a cooperative research and development agreement (CRADA) between the VA and a private company in 2016.

The purpose of the collaboration was to improve the health and wellness of veterans using AI and deep learning technology developed by Flow Health. The project aimed to identify common elements that make people susceptible to disease, identify potential treatments and possible side effects to inform care decisions and to improve the accuracy of diagnoses.

The CRADA would have resulted in the private and confidential health data, including genomic data, of all veterans who had received medical treatment at the VA being provided to Flow Health. The deal was brought to the attention of senior VA IT leaders in November 2016 following media coverage of the deal after Flow Health issued a press release announcing the new initiative.

Please see the HIPAA Journal Privacy Policy

The CRADA had been approved but was unilaterally terminated in December 2016 before any veteran data was transferred. The VA’s IT leaders requested the OIG conduct an investigation into potential conflicts of interest between the two employees and Flow Health in December 2016.

The CRADA would have seen private and confidential health data provided to Flow Health for 5 years. According to Flow Health, the project would see the company build “the world’s largest knowledge graph of medicine and genomics from over 30 petabytes of longitudinal clinical data drawn from VA records on 22 million veterans spanning over 20 years,” and that the project with the VA was “a watershed moment for deep learning in healthcare.” To protect the privacy of veterans, Flow Health said it would de-identify all patient data during analysis.

One of the VA employees worked as an Office of IT program manager and the other as a Veterans Health Administration health system specialist at the VHA central office. OIG investigated whether either of the employees had any financial conflicts of interest related to the deal with Flow Health, and while no financial conflicts of interest were found, OIG did discover the employees concealed material information about the privacy and security risks of the project and made misrepresentations about the risks which led to the project being approved under false pretenses.

In the report, False Statements and Concealment of Material Information by VA Information Technology Staff, OIG said the VA official tasked with approving or rejecting the proposed project requested the employees provide an explanation of the cybersecurity implications of the Flow Health project.

OIG said the two employees concealed information from the VA official and did not divulge that subject matter experts had raised significant privacy and security concerns about the project. The two employees also made false statements to the VA official about the status of privacy and security reviews, indicating they have been conducted and all issues had been addressed. They also advocated the VA official execute the contract with Flow Health.

The OIG referred the matter to the Department of Justice, which declined to prosecute the two employees. The OIG recommended the VA determine whether administrative actions should be taken over the employees’ conduct, and the VA concurred with the recommendation.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.