Local law enforcement has opened an investigation into the theft of medical records from Northern Inyo Hospital in a case that has shaken community members and NIH itself.
This past summer, hospital officials noticed that an employee in the records department had illegally obtained and was in possession of a patient’s medical file. Hospital Administrator John Halfen said Thursday that the employee, Cherie LaBraque, was fired within hours of the discovery, but the ramifications of the theft are far-reaching.
The patient whose records were stolen, Tami Matteson, addressed the Northern Inyo Hospital Board in open session Wednesday evening, testifying that the breach in confidentiality has shaken her faith in the local healthcare system and she may have to move out of the community.
“My entire medical record was reviewed – possibly copied and disseminated and discussed with who knows who all … and held by a Northern Inyo Hospital employee,” Matteson said.
Inyo County District Attorney Tom Hardy said Friday morning that his office is aware of the matter and is conducting its own investigation. Due to the ongoing investigation, Hardy said he could not comment on the specifics of the case, but he did point out that the illegal or unauthorized access of private medical files could be a violation of the Health Insurance Portability and Accountability Act.
In general, Hardy said, “HIPPA is one of those very complicated laws” that could result in civil or criminal charges, or both.
Matteson has said that her medical files were used in an attempt to document that she is an unfit mother while she was engaged in a bitter custody battle with her ex-husband, who is now married to LaBraque.
“This has put me through horrible things. It’s embarrassing and horrifying,” Matteson said. “She went into other people’s records too. I will never know what she did with” the records or who she showed them to.
According to Halfen, an investigation conducted by the hospital revealed that LaBraque had accessed Matteson’s file a total of 14 times. The first 13 breaches occurred over a two-day period in 2010. “At that time, she did write letters to the court during the custody battle,” Matteson said.
In early August of this year, LaBraque’s supervisor, Kelli Huntsinger, noticed a hard copy of Matteson’s records on LaBraque’s desk. Halfen said Huntsinger was aware of the personal dispute between the employee and the patient, and immediately questioned LaBraque as to why she would have that file.
Halfen explained that LaBraque was fired within hours of Huntsinger discovering that she was in possession of files that she had no legal business to have.
“We were able to determine that a breach did take place,” Halfen said, adding that the Hospital Board has determined that NIH as an organization is not at fault, as LaBraque received the necessary HIPPA training and was aware of procedures and protocols that are set forth to protect patients’ rights.
“What happened is, we had a corporately trained and trusted employee (in the hospital records department) who took advantage of that trust and accessed protected health information,” Halfen said.
He added that LaBraque was required to complete three “MediCon” courses and pass a three-part exam every year to ensure that she was up to speed on HIPPA and patient confidentiality laws. “Every employee is aware of their responsibilities and the hospital can only do so much in the case of a rogue employee,” Halfen said.
The hospital board offered Matteson a settlement on her claim in closed session at Wednesday’s meeting. However, Matteson was not permitted to address the board during its closed session meeting, due to Brown Act laws.
Halfen said that Matteson did not specify a dollar amount to settle her claim against the hospital, but the board “didn’t think it was right to do nothing.”
NIH has reported the breach and Matteson’s claim to the Centers for Medicare and Medicaid Services, the federal agency that administers Medicare, Medicaid and the State Children’s Health Insurance Program. That agency has the ability to open its own investigation into the breach and, if it finds the hospital is at fault, can fine NIH.
Halfen said that, as of Thursday, the CMS had not taken steps to reprimand the hospital. “They are typically understanding of individual cases” and it isn’t likely that the hospital will face fines, Halfen said.
According to Halfen, hospital officials have taken the breach seriously. “We’ve already had a session or two of counseling for the folks in that department” to ensure that there is no question that the staff has been properly trained. “If anything, there is probably going to be a little over-reaction to this in that department. Which is OK.”
Halfen added that one other resident, Lauren Nitschke, a friend of Matteson’s, had her medical records unlawfully accessed by LaBraque.
“This information has been very upsetting,” Nitschke said Thursday, adding that she and her husband “both feel extremely violated and have a number of serious concerns regarding our privacy and future healthcare.”
Halfen stressed that the breaches of confidentiality were the work of one “rogue employee” who has been terminated.
“The hospital has 400 employees. This breach took place in 2010. We have had 600-700 employees since that time. This was one employee. That doesn’t equate to a systematic problem at the hospital,” Halfen said. He added that it was proper oversight on the part of the Records Department manager that caught the breach in the first place.
“It’s important that the community trust the hospital,” Halfen said. “That’s why we have these HIPPA laws. We have a computer system that tells us who got into what files, the time and date and what they did. If anyone feels their medical files may have been accessed, we can check. The only thing is, we need to know to look.”
Halfen said anyone who is concerned about their medical files is encouraged to contact the NIH Records Department. Staff there has the ability to find out if their files were also illegally accessed.