VA investigation finds employees hid privacy, security risks with patient health data project

Two employees at the Department of Veterans Affairs made false representations and hid privacy and security risks tied to a 2016 artificial intelligence health data project between Flow Health and the agency, according to a recent VA Office of Inspector General report

Eight details: 

1. In 2016, VA and Flow Health had planned to enter into a cooperative research and development agreement, or CRADA, which is a collaboration between a nonfederal organization and a federal lab. These agreements are typically made with private universities or companies. 

2. VA's agreement with Flow Health planned to strengthen the health and wellness of veterans by tapping into VA health data. Flow Health was to apply its AI and machine learning tech to identify disease onset and improve diagnosing accuracy, among other uses. 

3. Under the contract, the VA would have shared the health and genomic data of all veterans who had ever received services at the agency with Flow Health. The agreement would have also required VA to share veterans' current health data for five years. 

4. In November 2016, senior Veterans Health Administration and VA Office of Information and Technology officials became aware of the contract due to media coverage and terminated the agreement before any health information was released. 

5. The CRADA identified an OIT program manager as the leader of the project and a health system specialist in the VHA as the VA principal investigator. The OIG investigation did not find that either of the employees had a financial interest in Flow Health that would create any conflicts of interest. 

6. The OIG investigation, however, did find that the two employees in question made false representations to and concealed material information from the VA approving official for the CRADA. Before the project's approval, three VA privacy experts told the two employees under investigation that there were serious concerns that needed to be addressed before the project could move forward. 

7. Despite the privacy experts' concerns, the two VA employees "failed to disclose the unresolved privacy issues to the approving official" and "falsely represented that all reviews — including privacy, information security, and legal — had been completed and implied that any resulting identified issues had been addressed and resolved," according to the report. 

8. The investigators claimed that the approving official had relied on the information given by the two employees, which resulted in approval of the CRADA under false pretenses. The OIG referred the matter to the Department of Justice, which declined to prosecute the two employees. 


Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars