Thousands of veterans were alarmed to learn VA is quietly rolling out is plan to automatically share veterans’ health information with third parties without written consent.
You got that right. Thanks to the VA MISSION Act, VA will now automatically enroll, or opt-in, all veterans into a health information sharing system with numerous government agencies and private organizations after September 30, 2019, unless you object in writing on a paper form.Veterans must submit the VA Form 10-0484 in person or by mail to their local VA Release of Information office by of September 30, 2019, if they do not want to be “automatically enrolled” into the eHealth Exchange managed by The Sequoia Project.
Sound absurd? Here is what VA wrote in its Virtual Lifetime Electronic Record (VLER) FAQ:All Veterans who have not previously signed form 10-0484 as of September 30, 2019 will be automatically enrolled, but have the option to opt out.
Let me say that a third way in case I have not been clear.
VA will automatically share your health information with third parties without your written consentunless you opt-out in writing or submit a revocation in writing submitted in person or by US mail. You cannot submit your opt-out or revocation electronically.
How ironic, right?
In the name of technology, VA is about to force veterans into an electronic data sharing system without consent. The only way to prevent this violation is to present your objection on an agency mandated form ON PAPER by hand or snail mail by Monday. How old school.
And we are just learning about the deadline now.
In order to opt-out or revoke consent, there are a couple of forms you need to consider, noted above… but you only have until Monday to figure it out.Curiously, the VA Form 10-10164 opt-out that is not technically an official form until October 2019 based on the available form.
One could argue that submitting the 10-10164 before September 30 may still result in a veteran’s automatic opt-in and then opt-out since the form may lack legal effect until October 2019.
So, the forms you can use to opt-out or revoke consent:
- VA Form 10-0484 Revocation for Release of Individually-Identifiable Health Information Through eHealth Exchange (old)
- VA Form 10-10164 Opt-Out of Sharing Protected Health Information Through Health Information Exchanges (new)
No. The agency requires that you either hand deliver the signed form or mail it to the local Release of Information office at your VA Medical Center by Monday.
No revocations will be processed after September 30, 2019. I hope VA will not auto-opt-in veterans who submit the new form before the deadline.
Either way, if you fail to take action by September 30, your health information will be shared with the eHealth Exchange managed by The Sequoia Project.
Once health information is shared, it cannot be unshared as best I can tell from the information available including the old form.
This means meaning you lose control of your data. While you can possibly opt-out at a later date, whatever is shared is out there in the great and mysterious cloud for whatever hacker to access however and whenever they choose.
Who may get access?The eHealth Exchange is a massive data-sharing system between federal agencies and private organizations in all 50 states that was originally controlled by the Department of Health and Human Services.A nonprofit called The Sequoia Project took over management of the eHealth Exchange for “maintenance.” Many VA contractors and vendors are on the Board of Sequoia including Cerner and Mitre Corporation.
VA reassures us everything is safe. Right. Kind of like all the times our data was illegally shared or hacked within the existing system?
“Rest assured. Your health information is safe and secure as it moves from VA to participating community care providers,” promises VA.
Believe them? We don’t, either.
We Drove To Minneapolis VA To InvestigateOn Thursday, colleague Brian Lewis and I went to Minneapolis VA Medical Center immediately after reviewing what I describe below to confront agency officials about the highly questionable timing of the notice.
The Facebook Live video contains our initial impressions, which later evolved after we spoke with local officials and conducted an additional deep dive. Veterans who do not revoke consent/opt-out by September 30 will be enrolled automatically per the VLER FAQ.We learned some inside baseball by asking around about it and inspecting the facility. But, many of the VA officials we spoke with were generally unaware of what VA Central Office was rolling out.
Our local Release of Information booth at Minneapolis VA did not have any of the forms available for veterans seeking to opt-out or revoke their previous consent. The attendant seemed to think her boss might bring some forms up sometime Friday or Monday since a few veterans were asking about it.
Btw, you may have noticed my reference to “booth” about our ROI. In order to speak with someone at ROI, Minneapolis VA leadership decided to move the ROI intake to the open lobby area where anyone and everyone can hear about what you are asking about regarding your private health information.
So much for privacy when trying to get your private health records.For newbies reading this, Brian and I are veterans rights attorneys in the Minneapolis Metro who are well-known, but not well-loved, by VA officials locally and nationally.
I will explain the forms in a bit.
Back In The Day When Consent Was In Writing… And It Mattered
For years, VA was required secure informed consent from veterans prior to the sharing of health information. Whether you were a veteran trying to get care in the community or allow your attorney access to a claims file, you were required to provide VA with a release of information granting consent to share the date.If you wanted to give VA your genomic information so they could share it with private researching organizations for God knows whatever reason, specifically the Million Veteran Program, you had to sign a form granting permission.If you wanted to opt in to allow your community care provider to use the health exchange to access your electronic health records, you need to sign the VA Form 10-0485. If you wanted to revoke that access, you needed to sign and submit the VA Form 10-0484.
There’s Gold In Those Records, Boys And Girls
To me, and millions of other veterans, this process seems straightforward, but VA officials, university researchers, and private industry really wanted more access to more veteran data since our electronic health records comprise one of the most valuable datasets in the history of the world to date.
Yes, there is an incredible monetary value within the database containing all of our electronic health information, and private industry would profit handsomely from various marketing, advertising, and health solutions that could be developed by simply accessing our records.Now, that access to our records comes at a cost. For at least the past eight years, standard HIPAA requirements to de-identify records no longer provide the security previously believed. Companies like Facebook readily work to hack HIPAA protections using algorithms to connect HIPAA de-identified data with a person’s Facebook profile using various markers including data like that given by veterans to the Million Veteran Program, for example.That data can then provide the backbone of entirely new research and advertising arm of companies like Facebook and Google to connect pharmaceutical ads with individuals who may be interested in the newest and greatest pill for anxiety or erectile dysfunction.
VA Throws Off The Heavy Yoke Of PrivacyFortunately for business partners, researchers, and anyone else who wants to access our data but not be troubled with difficult privacy laws, VA will no longer have its research potential hamstrung by sentimental laws like the Privacy Act or HIPAA.Veterans can thank Congress and its passage of the VA MISSION Act for allowing automatic access to all veterans’ health information by third party community care providers and “partners.”
One of my readers alerted me to a change in protocol yesterday starting with a PDF flyer circulating at VA.That flyer, called the Veteran Notification Flyer, informs veterans of the five things we “need to know” about the VA’s new implementation of the health information mandate. I included this below in italics verbatim from the agency’s flyer.
You may be thinking, ‘Well, at least VA thought to give you notice.’
Not exactly. I have not received any notice yet. However, many veterans are writing in starting yesterday with notice letters that VA was transitioning veterans into a new and brave system of data sharing.
The flyer was created September 11, 2019, informing veterans that in 20 days the process was flipping on its head where we need to opt-out after automatically being opted-in.
5 Things You Need To Know About Health Information Sharing
- The VA MISSION Act allows VA to now share your health information with participating community care providers for your care and treatment as permitted by federal privacy laws.You do not have to take any action unless you choose not to share your health information electronically.
- Rest assured. Your health information is safe and secure as it moves from VA to participating community care providers. VA uses a secure network called the Veterans Health Information Exchange (VHIE) to protect and easily share in real-time your health information.
- Sharing your health information saves you time, and improves your health. By having all of your information available, your providers will have a more complete picture of your health history to better inform treatment decisions.
- You can always opt out of sharing your information. If you don’t want to share your health information electronically, complete and return VA Form 10-10164 (Opt Out of Sharing) to the Release of Information (ROI) Office at your VA Medical Center or by mail.If a community care provider requests your records in an emergency, information will be shared even if you have opted out of sharing. Traditional paper forms of health information sharing will remain available regardless of your preference to share or not share electronically. If you opted out of sharing, but change your mind, you can opt back in and authorize VA to share your health information by completing and returning VA Form 10-10163 (Opt In for Sharing) to your ROI Office or by mail.
- If you have previously signed VA Form 10-0484 to revoke your consent to share prior to September 30, 2019, that preference will be honored.
If you are a little unclear about how to be sure no one receives the health information, you are in good company. A lot of readers and agency officials were unclear of exactly what is going on, and multiple dates are floating around within VA’s own notices.One page reads, “VA will begin opting all Veterans into health information sharing, beginning January 2010.” Another page reads, “VA Systems will begin opting all Veterans into health information sharing, beginning January 2020.”
So, when did or will VA start the sharing of our health information without consent?
An intranet notice to VA employees indicated the actual process of sharing will start on or about November 18, 2019.
The VLER FAQ sheet probably provides the best advice specific to veterans who do not want their data shared in the electronic system:
All Veterans who have not previously signed form 10-0484 as of September 30, 2019 will be automatically enrolled, but have the option to opt out. Beginning late 2019, a VA patient’s information will be shared with any community providers that also provide health care services for the shared patient.
“Revocation forms will not be processed after September 30, 2019. However, if you submit VA Form 10-0484, before September 30, your preference will remain honored and no further action is needed by you.”
This language suggests the form must be submitted before September 30, because the agency will stop processing them after September 30.
But how to do you revoke the consent that you never granted?
What is also important is the language difference between the two forms.
Old VA Form 10-0484 vs New VA Form 10-10164
Let’s start with the new form, VA Form 10-10164. Basically, the form says the agency cannot share your health information unless treatment is required for an emergency:
- Opt-out means that none of your health information can be shared through HIE for your treatment except in a life-threatening medical emergency.
- Opt-in means that all of your health information can be shared through HIE for your treatment.
So, the opt-out is not absolute. The form also indicates the opt-in means all your health information can be shared for treatment.
What about your mental health records? How will VA protect that data? Could that data also be shared with DHS or other organizations for their own purposes?
The VA Form 10-0484 handles the issues differently.
First, it addresses that the signer revokes their previous consent. Obviously, most of us never consented to this program. So, by signing this 0484, can you preemptively revoke?
That is a question for your local Release of Information Official.
The old form provides the following list about revocation that I think is far clearer about what is at stake. Here is the list from VA in italics:
- I am requesting to discontinue my participation in the electronic exchange of my individually-identifiable health information.
- I understand that you will no longer share any of my individually-identifiable health information with the non-VA health care provider organizations participating in the eHealth Exchange and partnering with VA.
- I understand that information already exchanged between both parties prior to this revocation will continue to be used as discussed in the authorization I signed when I elected to participate in this electronic exchange of my individually-identifiable health information.
- I understand that withdrawing from this program does not change my relationship with my health care providers, my future care, or have any effect on my VA benefits.
- I understand that the VA will respond to this revocation in writing or through the eBenefits Portal informing me that VA has confirmed my request and the effective date of this revocation.
One of the differences that jumped out at me in the old form was the promise that VA “will no longer share any of my individually-identifiable health information”. It did not qualify that revocation by stating the information will be shared in an emergency.However, the revocation qualifies the health information by calling it “individually-identifiable health information” demonstrating the agency will share your information so long is it is de-identified. As noted above, merely adhering to HIPAA is no longer sufficient to protect your identity or other information that can be traced right back to you with today’s computing power.
What About Health Information Already Shared
The old 10-0484 says the information “already exchanged” will continue to the used despite revocation meaning once the information is out there, it is out there.
The health information being passed between VA and its community care providers is supposedly shared in “guidance” with the Health Insurance Portability Accountability Act (HIPAA) regulations.
Do we have enough information to make informed decisions? Does VA seem to give a rip about our informed consent?
I plan to update this post as more information comes out. You may want to check back from time to time.