LCO Health Center Investigates Potential HIPAA Violations

The Lac Courte Oreilles (LCO) Tribal Governing Board of the Ojibwe Indian Reservation has reported a HIPAA breach in which an undisclosed number of individuals have had their PHI exposed. The LOC reported “several pieces of Health Center information from 2010-2011” were compromised in the incident.

An investigation was conducted by the LCO along with the tribal police force into a potential breach of the Health Information Portability and Accountability Act (HIPAA) after an employee of the LCO Health Center (LCOHC) took PHI from the health center, according to a notice published on the tribe’s website.

Late last year, the Director of the LCOHC was made aware of a potential breach of HIPAA Rules after an employee had allegedly taken health center files home. The following investigation quickly established that the employee had taken the files in order to complete some work; however those files were not returned to LCOHC “in a timely fashion.”

The matter was brought to the attention of the Director of the LCOHC by the employee’s partner, who reported the incident after the couple separated. The initial results of the investigation determined that the incident did not qualify as a HIPAA breach.

The incident did however constitute a breach of the security policy of the health center; where penalties for improper access of PHI can be steep. According to NNC NOW,the investigation uncovered that the files were Protected Health Information (PHI), leading to the termination of the employee.”

Investigations Conclude HIPAA Rules Were Breached

The investigation was conducted in January of this year, and since no PHI was deemed to have been divulged – and had only been viewed by the employee who had legitimate access to the data – the incident was not considered to be a HIPAA breach. At the time the Legal Department of the tribal government determined “the facts of the investigation established that this incident was statutorily excluded from being constituted as a breach of the standards of HIPAA pursuant to 45 C.F.R. 164.402”

However, recent events have caused the tribe to update the security incident to a HIPAA breach. According to the statement posted on the LCO website:

“As part of the investigation back in January, the tribe’s police force personnel made an inventory list of the obtained PHI. In recent days, this confidential and proprietary inventory list was illegally obtained and disseminated publicly from a source other than the health center. The recent release of this inventory list constitutes a breach of not only the tribe’s internal confidentiality policies, but also HIPAA.”

The tribe has offered all affected individuals the opportunity to make an appointment to come in and view their PHI so they can make a decision about the actions they need to mitigate any damage caused. The matter has also been referred to the Sawyer County District Attorney and County Sheriff to pursue criminal proceedings against the individual.

A warning was also issued to anyone found in possession of the inventory list and advised them that criminal proceedings will be brought against all individuals and they may also face civil liability claims.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.