Privacy breach at N.I.H.

The Inyo County District Attorney’s office has begun an investigation into a privacy breach at the Northern Inyo Hospital (NIH) “to determine if there was any criminal wrongdoing,” according to District Attorney Tom Hardy. The breach came to light in August of this year, when Health Information Management Director and Privacy Officer Kelli Huntsinger noticed a hard copy of NIH patient Tami Matteson’s file on the desk of Hospital Records employee Cherie LaBraque. Hospital Administrator John Halfen explained that Huntsinger, LaBraque’s supervisor, was aware of a personal dispute between employee LaBraque and patient Matteson.

On Oct. 16, Matteson addressed the NIH Board in open session and explained that she believed LaBraque used her medical file to document that she was an unfit mother during a custody battle with her ex-husband, who is now married to LaBraque.

According to Halfen, LaBraque was fired within hours of the discovery of the privacy breach. NIH has since conducted its own investigation into the breach, and discovered that LaBraque accessed Matteson’s file a total of 14 times, 13 of those times over a two-day period in 2010. Halfen confirmed that the Hospital also found that LaBraque had accessed the files of a second patient, Lauren Nitschke, a friend of Matteson’s.

Halfen noted that no privacy breaches have occurred prior to this one in the 12 to 13 years he has been with NIH. He stressed that LaBraque received all the proper training to ensure that she wouldn’t compromise the privacy of hospital patients, including completing three “MediCon” courses and passing a three-part exam each year to certify that she was educated in current Health Insurance Portability and Accountability Act  (HIPPA) and patient confidentiality laws. “If we have a rogue employee that just decides to commit a felony, there’s not a hell of a lot we can do about it, other than to take the corrective action we did,” Halfen said.

Matteson is currently filing a claim with the NIH Board, Halfen explained. The claim will amount to a settlement that has yet to be determined. NIH has reported the privacy breach, and Matteson’s claim, to the Centers for Medicare and Medicaid Services (CMS), the federal agency that administers Medicare, Medicaid and the State Children’s Health Insurance Program. Halfen said the CMS has not taken any steps to reprimand the Hospital, although it is within the purview of CMS to open its own investigation into the breach and fine NIH, if it finds NIH was at fault.

As for the District Attorney’s investigation, “We’re dealing with all allegations at this point,” said Hardy. Because of the nature of the purported crime, “This can be both a civil liability and theoretically a criminal liability,” he said.

Halfen encouraged any patients who might be concerned about illegal access to their medical files to contact the NIH Records Department. Thus far, he said, he is aware of one person who has done so. “His records were not breached,” Halfen said.