The bill amends title 38 to stop the Department of Veterans Affairs (VA) from signing contracts that permit contractors to sell or otherwise disclose for consideration veterans’ sensitive personal information. It directs the VA to insert anti‑monetization clauses into covered contracts and to issue guidance to help staff and contractors identify improper monetization or misuse.
The measure also sets a one‑year deadline for implementation and requires the VA to report the contract clause, the guidance, and a summary of actions taken to the House and Senate Committees on Veterans’ Affairs. For procurement officers, privacy teams, and vendors, the bill changes how VA data can be used and requires contract rework and new monitoring practices.
At a Glance
What It Does
The bill adds a new subsection to 38 U.S.C. §5725 that bars the Secretary from entering into any contract that permits a contractor to sell sensitive personal information held by the VA. It also requires the VA to add an anti‑monetization clause to covered contracts, issue staff and contractor guidance, and deliver a compliance report within one year of enactment.
Who It Affects
VA contracting officers, existing and prospective VA contractors and subcontractors (including affiliates), VA privacy and compliance offices, and veterans whose protected health information (PHI) or personally identifiable information (PII) the Department holds.
Why It Matters
The bill closes a procurement pathway that could allow monetization of veterans’ data and places an affirmative compliance burden on the VA to rewrite or modify contracts and issue operational guidance. It also expands the legal definition of covered data to include anonymized records and references multiple federal privacy authorities, which shapes how vendors may lawfully use VA data.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
At its core the bill makes selling veterans’ personal data through VA contracts a statutory no‑go. It accomplishes that by inserting a prohibition into title 38: the Secretary may not enter into a contract that permits a contractor to sell or otherwise disclose for consideration sensitive personal information maintained by the VA.
That legal change attaches directly to procurement choices — a contracting vehicle that authorized data monetization would violate federal law under the amended statute.
Beyond the outright ban, the bill forces operational change. The VA must ensure every “covered contract” includes a clause that forbids monetization, sale, or misuse of covered information, and the Department must publish internal guidance so employees and contractors can spot and stop prohibited behavior.
The statute gives the VA one year from enactment to insert or modify clauses and to produce the guidance, so procurement, legal, and privacy teams will need to coordinate rapidly to update templates and active agreements.The bill’s definitions are consequential. A “covered contract” includes new contracts and existing contracts that have not yet expired at enactment, so legacy agreements can be caught by the rule. “Covered information” is broad: it expressly includes protected health information and personally identifiable information, even if anonymized, and it cross‑references 5 U.S.C. 552a, portions of title 38 (sections 5701 and 7332), and HIPAA implementing regulations (45 C.F.R. parts 160, 161, 164).
Finally, the VA must report to the House and Senate Committees on Veterans’ Affairs within one year with the contract clause, the guidance, and a summary of other compliance steps taken, creating a short clock for implementation and congressional visibility.
The Five Things You Need to Know
The bill amends 38 U.S.C. §5725 by adding a new subsection that prohibits the Secretary from entering any contract that permits a contractor to sell (or otherwise disclose for consideration) sensitive personal information maintained by the VA.
Within one year of enactment the VA must add or modify each covered contract to include a clause forbidding monetization, sale, or misuse of covered information and must issue guidance for employees and contractors on identifying prohibited monetization.
‘Covered contract’ covers contracts entered into after enactment and contracts in effect on enactment that have not yet expired, meaning many existing vendor agreements may require modification.
‘Covered information’ explicitly includes protected health information and personally identifiable information — including anonymized data — and cites 5 U.S.C. 552a, 38 U.S.C. 5701 and 7332, and 45 C.F.R. parts 160, 161, and 164 (HIPAA rules) as examples of protected categories.
The VA must deliver a report to the House and Senate Committees on Veterans’ Affairs within one year containing the contract clause, the guidance, and a summary of other measures taken to comply.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Act name: Protect Veterans from the THIEF Act
This short title identifies the bill and signals its focus on theft of health and identifying information in electronic forms. Practically, the short title has no legal effect, but it frames the statute for stakeholders and for internal VA communications about the new requirements.
Statutory prohibition on contracts permitting sale of sensitive data
The bill adds subsection (d) to 38 U.S.C. §5725, directly prohibiting the Secretary from entering any contract that permits contractors to sell or otherwise disclose for consideration sensitive personal information maintained by the Department. Because this sits inside title 38, the prohibition becomes a substantive constraint on VA procurement authority: contracting officers must ensure awarded instruments do not contain terms that allow monetization of covered data.
Mandatory contract clause and internal guidance
The Secretary must, within one year, make sure each covered contract includes a clause that forbids monetization, sale, or misuse of covered information. The provision also requires a directive or policy for VA employees and contractors describing how to spot monetization or misuse. That creates two complementary compliance tools: a contractual obligation on vendors and a practical detection and escalation process for VA staff.
Reporting requirement to congressional Veterans’ committees
Not later than one year after enactment the VA must submit a report to the House and Senate Committees on Veterans’ Affairs containing three elements: the required contract clause, the issued guidance, and a summary of other actions taken to comply. The report mechanism builds congressional oversight into the implementation timeline and provides a single deliverable for committees to evaluate compliance.
Definitions of covered contract and covered information
This subsection defines ‘covered contract’ to include both future contracts and pre‑existing contracts that have not expired, and defines ‘covered information’ broadly to include PHI and PII — explicitly encompassing anonymized data — while citing 5 U.S.C. 552a, 38 U.S.C. sections 5701 and 7332, and HIPAA regulations (45 C.F.R. parts 160, 161, 164). Those cross‑references matter operationally because they import familiar privacy regimes into the bill’s scope and widen the set of data subject to the monetization ban.
This bill is one of many.
Codify tracks hundreds of bills on Veterans across all five countries.
Explore Veterans in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Veterans and their families — the ban limits the risk that VA‑held health records, identifiers, or derivations of that data will be sold to third parties, reducing exposure to privacy harms and identity theft.
- VA privacy and compliance officers — the statute gives them statutory backing to demand contract terms that restrict secondary uses and to standardize protections across vendors.
- Privacy advocates and consumer groups — the law creates a clear legal hook to challenge or scrutinize any VA contracting practice that approaches data monetization, strengthening oversight channels.
Who Bears the Cost
- VA contractors, subcontractors, and affiliates — they must stop any data monetization practices tied to VA contracts, amend contracts, and adjust data business models; some vendors that monetize data may withdraw from VA procurements.
- VA procurement and legal teams — they face short‑term administrative and legal burdens to insert or renegotiate clauses in active contracts, update templates, and enforce compliance with a one‑year deadline.
- Smaller vendors and data brokers — those that relied on secondary data sales as revenue may lose income streams or incur compliance costs to segregate VA data from monetizable pools.
Key Issues
The Core Tension
The central dilemma is protecting veterans’ privacy by shutting down any avenue for commercial monetization of VA data versus preserving the operational flexibility and data uses (analytics, research, cost recovery arrangements) that help the VA deliver services; a blunt prohibition reduces privacy risk but risks blocking legitimate, beneficial data activities and complicating procurement and vendor markets.
The bill is precise about prohibiting sale or disclosure for consideration, but it does not specify enforcement mechanisms, civil penalties, or remedies if a contractor violates the prohibition. That omission leaves open questions about how the VA will detect breaches, what sanctions it can impose under existing procurement law, and whether victims of misuse will have private remedies.
The definitions are broad in a way that can create operational friction. Including anonymized data in ‘‘covered information’’ and citing both the Privacy Act and HIPAA-related rules sweeps in analytics, de‑identified datasets, and certain research uses that agencies and contractors commonly rely on.
The phrase ‘‘sell (or otherwise disclose for consideration)’’ may capture legitimate commercial arrangements that reimburse vendors for data hosting or processing services unless guidance carefully distinguishes prohibited monetization from routine cost recovery. Finally, retrofitting contracts that are in effect on enactment raises practical problems: vendors will push back on unilateral modifications, and the VA will need a clear compliance pathway for contracts with long tail obligations or third‑party entanglements.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.