{"id":8249,"date":"2021-02-21T21:45:32","date_gmt":"2021-02-21T21:45:32","guid":{"rendered":"http:\/\/ncjolt.org\/?p=8249"},"modified":"2021-03-08T23:06:45","modified_gmt":"2021-03-08T23:06:45","slug":"two-veterans-affairs-employees-lies-placed-health-data-for-millions-of-veterans-at-risk","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/two-veterans-affairs-employees-lies-placed-health-data-for-millions-of-veterans-at-risk\/","title":{"rendered":"Two Veterans Affairs Employees\u2019 Lies Placed Health Data for Millions of Veterans at Risk"},"content":{"rendered":"\n

On January 28, 2021, the Office of Inspector General (OIG) for the Department of Veterans Affairs (VA) published a report<\/a> detailing how two employees \u201cmade false representations\u201d and \u201cconcealed material information\u201d concerning a contract with an artificial intelligence company. The contract was brought to the OIG\u2019s attention by a pair of high-level VA officials who questioned whether several VA employees had conflicts of interest in connection with the recently signed contract. Later that month, the VA unilaterally terminated the agreement\u2014only twenty days after the contract was signed. If the VA had not acted quickly, the \u201chealth data of tens of millions of veterans would have been placed at risk of disclosure.\u201d<\/p>\n\n\n\n

In the fall of 2016, the VA was considering a cooperative research and development agreement (CRADA) with Flow Health. Flow Health is a big data company that uses artificial intelligence, gleamed from its large data sets, to guide medical decision-making. According to their CEO, Alex Meshkin, Flow Health\u2019s mission<\/a> is to \u201cadvance healthcare by applying the latest artificial intelligence techniques to improve the detection, diagnosis, treatment and management of diseases.\u201d<\/p>\n\n\n\n

This type of contractual arrangement between the VA and a private company is not unique. The VA routinely enters into CRADA agreements with both public and private parties to partner on research and development, as authorized under 15 U.S.C. \u00a7 3710a<\/a>. However, these research and development activities are usually \u201cassociated with the provision of medical care to veterans\u201d and overseen by a different office than the one in charge of the Flow Health CRADA. <\/p>\n\n\n\n

In this particular CRADA agreement, the VA wanted to use Flow Health\u2019s \u201cdeep learning and artificial intelligence resources to discover evidence to prevent disease onset, improve the precision of diagnoses, and identify treatment plans that together position clinicians to make recommendations tailored specifically for individual veteran patients.\u201d Flow Health benefitted from the agreement, too. They planned on using the veterans\u2019 health data to create \u201cthe world\u2019s largest knowledge graph of medicine and genomics from over 30 petabytes of longitudinal clinical data drawn from VA records on 22 million veterans spanning over 20 years.\u201d<\/p>\n\n\n\n

“I would be remiss in my responsibilities to VA if I didn\u2019t caution about security issues introduced by the characteristics of this CRADA. We can certainly talk more about these, but in short the integration of large data sets of [Protected Health Information], compounded by computation in a cloud environment, introduce a number of regulatory and statutory security challenges.”<\/p><\/blockquote>\n\n\n\n

Two VA employees, a program manager in the Office of Information Technology (OIT program manager) and a health system specialist in the Veterans Health Administration (VHA employee), were involved in establishing the Flow Health CRADA. In the agreement, the OIT program manager was designated the \u201cCRADA leader\u201d and the VHA employee was listed at the \u201cprincipal investigator.\u201d While these two employees did not have authority to approve the deal themselves, they were responsible for conducting research and getting approval from the VA official who did have authority to sign off on the CRADA.<\/p>\n\n\n\n

The OIT program manager and the VHA employee knew from the beginning<\/em> that this deal posed privacy concerns. In June 2016, a VA contract official warned:<\/p>\n\n\n\n

\u201cI would be remiss in my responsibilities to VA if I didn\u2019t caution about security issues introduced by the characteristics of this CRADA. We can certainly talk more about these, but in short the integration of large data sets of [Protected Health Information], compounded by computation in a cloud environment, introduce a number of regulatory and statutory security challenges.\u201d<\/p>\n\n\n\n

The legal team\u2019s deputy chief counsel expressed concerns, too. After asking another VA attorney who specializes in information law to look over the agreement, the information law attorney replied: \u201cI know VHA has been very concerned with the re-identification of even de-identified data under the Health Insurance Portability and Accountability Act (HIPAA) safe harbor. So, this is definitely one that needs to be routed through VHA Privacy.\u201d However, when the deputy chief counsel passed this recommendation along, the OIT program manager falsely claimed that the privacy team had already looked over the CRADA and was \u201ccomfortable with it.\u201d<\/p>\n\n\n\n

In September 2016, the approving official inquired about \u201cthe cybersecurity implications of the proposed CRADA.\u201d Thus, the OIT program manager was obligated to reach out to the cybersecurity director. Echoing the legal team\u2019s concerns, the cybersecurity director added a privacy team member to the email chain and asked privacy to look over the document. The next day, the OIT program manager claimed to have already worked with the legal team to implement HIPAA and that all of \u201cthe necessary requirements [are] in place to move forward.\u201d Notably, the OIT program manager removed the approving official from the email chain.<\/p>\n\n\n\n

Once privacy was looped into the conversation, the OIT program manager and the VHA employee received multiple emails from members of the privacy team who were alarmed by the CRADA. Members of the regulatory team and the Million Veteran Program also called and sent emails. Those calls and emails were ignored. Meanwhile, the OIT program manager and the VHA employee used their personal email accounts and cellphones to communicate with Flow Health, violating records<\/a> management<\/a> laws.<\/p>\n\n\n\n

Ultimately, the approving official signed the CRADA, believing it was an acceptable agreement because of the false information he was provided. During the OIG\u2019s investigation, he explained, \u201cEverybody that I thought was supposed to … said it looked fine, and that\u2019s why I signed the CRADA.\u201d Based on these facts, the OIG found that the OIT program manager and the VHA employee \u201cmade false statements\u2026 pertaining to the status of the information security and privacy reviews\u201d and \u201cconcealed\u2026significant privacy concerns raised by subject matter experts.\u201d Not only did they hide relevant concerns from the approving official\u2014they falsely and intentionally implied \u201cthat any identified issues had been addressed and resolved\u201d in an effort to induce the official to approve the CRADA.<\/p>\n\n\n\n

Notably, the \u201cOIG did not substantiate that any of the employees named in the complaint had a financial interest in Flow Health that would create a conflict of interest under relevant law<\/em>.\u201d However, it\u2019s unclear whether any \u201clawful\u201d financial interests were discovered. The OIG also referred their findings to the U.S. Department of Justice, which declined to prosecute.<\/p>\n\n\n\n

Caroline Pope<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

On January 28, 2021, the Office of Inspector General (OIG) for the Department of Veterans Affairs (VA) published a report detailing how two employees \u201cmade false representations\u201d and \u201cconcealed material information\u201d concerning a contract with an artificial intelligence company. The contract was brought to the OIG\u2019s attention by a pair of high-level VA officials who …<\/a><\/p>\n","protected":false},"author":4,"featured_media":3585,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8249"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=8249"}],"version-history":[{"count":3,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8249\/revisions"}],"predecessor-version":[{"id":8260,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8249\/revisions\/8260"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media\/3585"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=8249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=8249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=8249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}