Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.

VA Privacy Service

Menu
 

Incident Management and Response

How to Report a Privacy Incident

What is a Privacy Incident?

A privacy incident is any event that has resulted in, or has the potential to result in, unauthorized access to or disclosure of the Department of Veterans Affairs (VA) sensitive personal information (SPI), including personally identifiable information (PII) and protected health information (PHI), whether physical or electronic, in a manner not permitted under the applicable confidentiality provisions.


Reporting a Privacy Incident

Always report suspected or confirmed privacy incidents to your local VA facility Privacy Officer. To locate your local Privacy Officer, you must contact your local VA Facility or you may email VA Privacy Service at privacyservice@va.gov


Be Ready to Submit:

The caller should be prepared to answer questions about the privacy incident such as:

  • • Caller’s name
  • • Phone number
  • • Location
  • • Date of incident
  • • What was lost, compromised or disclosed?
  • • What happened?
  • • Was data encrypted if it was an electronic device?
  • • Was the electronic device turned on, and if so, was it password protected?

Useful Definitions

Sensitive Personal Information (SPI):

SPI, as defined in VA Handbook 6500, is any information about the individual maintained by an agency, including the following: (i) education, financial transactions, medical history, and criminal or employment history; and (ii) information that can be used to distinguish or trace the individual’s identity, including name, Social Security number, date and place of birth, mother’s maiden name, or biometric records.



Personally Identifiable Information (PII):

PII, as defined in VA Handbook 6500, is any information about an individual that can be used to distinguish or trace an individual’s identity, alone or when combined with other information which is linked or linkable to a specific individual, such as: name, Social Security number, date and place of birth, mother’s maiden name, telephone number, driver’s license number, credit card number, photograph, finger prints, biometric records, education, financial transactions, medical history, and criminal or employment history, etc.



Protected Health Information (PHI):

PHI, as defined in VA Handbook 6500, is individually identifiable health information held by a covered entity or by a business associate acting on its behalf.