FILEGATE 3: Council violated HIPAA Breach Notification Rule

The medical records HIPAA violation that occurred at our clinic turns out to be a major breach of patient’s confidential records, and has been downplayed by our tribal leadership to the extent that they decided to refuse informing all 229 individuals whose rights were violated and this my friends, was a violation of the law itself, The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414.

If you want to catch up on the story about these medical records being taken home by a clinic employee here at the links to the first two stories, http://lcotoday.blogspot.com/2015/03/filegate-lco-tribal-council-wont-tell.html and the second story, http://lcotoday.blogspot.com/2015/04/filegate-2-list-of-names-revealed.html

First of all, our tribal chairman was wrong to deny telling those affected. His tribal attorney, Jason Stark, stated in the tribal council meeting two weeks ago that because of HIPAA, they didn’t have to inform the individuals citing that it would be a violation of HIPAA in itself to inform them, when in fact, there is a clause in HIPAA called the HIPAA Breach Notification Rule that clearly states they do indeed have to inform everyone involved and within 60 days of the breach.

So, it seems that our tribal leadership has broken the law by refusing to inform the public of this breach. The Rule states that they have to inform everyone in a number of ways, including using the media if over 500 individuals were affected. In this case, I don’t know if that many were affected or not. There were 229 names on the list, but how many were affected by all the other documents that were taken from the clinic by this one employee, which included bills, invoices, resumes, mental health information, notes on personnel discussions, letters, emails and so on. I’m not sure if this would classify or not, but in my opinion, this breach was definitely big enough to warrant using the media.

This is not the first time our tribal attorneys have given bad advice to our chairman. It was them that actually advised our leaders to attempt to restrict freedom of speech through that ridiculous social media in the workplace ordinance. There are actually three full-time attorneys working for this tribe plus an unknown position that was recently created by the chairman for a friend of his. Yes, there is a fourth person, who isn’t an attorney, now working in the legal office doing some sort of work. I don’t know the details but I do know the position was never posted and it didn’t exist before.

Our tribal attorney staff continues to give bad advice to their leader and I’m sure what they will claim this time is that it wasn’t a breach under the HIPAA Breach Notification Rule because the files were returned to the clinic. But, how many people may have seen those files at the employee’s residence over that three-year period? How many neighbors stopped by and looked through people’s personal information? How many copies of the files may have been made? These questions remain unanswered.

Here is exactly what the Rule on notification for breaches says:

“Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means. 

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.”

Here is a link to information on this rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/

You can see that this was clearly never done and according to our chairman at the tribal council meeting two weeks ago…they never intended to do it either. It’s right there in black and white how they violated the law in an attempt to make this story quietly go away. In my opinion, there was definitely an attempt by our leadership at a cover up of this entire story. First, when I attended the meeting two weeks ago, Mic claimed that no one at the council level knew any information about this whole incident, including the names of those affected. But, when I received the copy of the names on Saturday, there was a cover page on a simple sheet of paper, not on tribal letterhead, aimed to the clinic director. Here is what it said:

Discussion with Gregg Duffek, Health Director

Regarding (the employees name)

Documentation that the previous Director authorized the release of the files, paperwork for (her name) to take out of the building and work at home.

Were these actual files, if so, why were they still at (her name’s) home? If actual files, why weren’t they missed within the Clinic?

The files for working at home, was information entered into a clinic computer or home computer. If this is a clinic computer, has it been returned to the clinic. If this was not a clinic computer, was any information entered into a home (personal) computer and where is the entered information now?

Does (her name) have a HIPAA and Confidentiality Agreement within her file?

What was the discipline action? Was it followed through?

Any idea how this issue turned up on Facebook?

This document was more like notes rather than any official letter in regards to the incident. It wasn’t on a tribal letterhead. It wasn’t even signed by the chairman nor does it even have his name on it. This whole thing stinks of a cover up, almost like this document was prepared later rather than at the beginning of the whole incident.

At the beginning of the notes on the cover sheet above, it states that the previous director signed off on her taking the work home with her and this part is bolded to make sure to draw attention that this was approved by the director, rather than ordered by any council member. I’d like to also point out that the previous director was Don Smith, and not Gaiashkibos as many are being led to believe. I have spoken to both Gosh and Don about this and they both said they had nothing to do with this and didn’t sign off on her taking her work home. They both did say to me that they believe the employee may have taken the work home and that the actual records taken didn’t have social security numbers on it, but that they were just encounter forms and she had to code the recorded visit for billing purposes. What is sad about all this is if that is true, why did our chairman allow this thing to grow into the ugliness it has become? If it were that simple then why didn’t he just come out right away with a public statement informing everyone just what happened and what type of records were taken?

And why put on the cover sheet a bolded statement saying there is documentation that the previous director signed off on the employee taking her work home if this didn’t actually occur, since both the previous two directors claim they never did sign off for her to take work home? If this is true, then it is time that our chairman produce this documentation and put to rest the rumors that are festering out of control.

In addition to the Rule above about breach notification, our council or clinic management also has a responsibility to show that all required notifications were made and if the breach doesn’t require it, that they disclose just why the notifications weren’t required. So, if they stick to their claim that notification wasn’t required, they still have to show why it wasn’t required. Here is that quote from the Rule:

“Covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. Thus, with respect to an impermissible use or disclosure, a covered entity (or business associate) should maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required: (1) its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure; or (2) the application of any other exceptions to the definition of ‘breach.’”

So, there you have it tribal membership. Our council has in fact violated HIPAA by not informing the public about the possible breach, or at least provided documentation on why they believed it wasn’t a breach. They did neither.

And there are conflicting stories coming out, which would lead one to believe there is an attempt at a cover-up. What conflicting stories? The cover sheet listed above makes the claim that a previous director signed off on the employee taking the documents, when in fact, both previous directors Gosh and Don Smith, said they never signed off on this.