- An employee of the Iowa’s Mahaska County government alleged that another employee committed a HIPAA violation when she locked a member of the public inside a building where files containing PHI were stored unsecured, the Oskaloosa News reported.
Kim Newendorp, general assistant director for Mahaska County, told the Board of Supervisors this month that a fellow county employee had locked a member of the public in the Annex Building and left that person alone in the facility.
“This person was waiting for me, but in doing so, she left all of the case management confidential and HIPAA information unlocked and accessible to that person. This is a HIPAA violation,” Newendorp told the board.
Newendorp said she notified her boss, one of the board members, about the incident but received no response. She then spoke with the county’s chief privacy officer, Jim Blomgren, who passed information about the incident on to the company that handles human resources for the county. No action was taken.
Newendorp said that she filed an official grievance with the Board of Supervisors, who passed it onto Blomgren, who then passed it on to the HR people, again with no result.
“I’m disappointed this situation has not been handled,” she told the board. “Especially due to the importance of HIPAA. The state DHS official has come forward to say that this situation is an issue, and yet nothing has been done.”
“I understand this topic may not be as important to you as roads, 911, and the airport, but I can tell you that the people’s right to have their personal information locked and secured is important to the hundreds of past clients of Mahaska County Case Management, and their families and myself.”
Willie Van Weelden, chairman of the Mahaska County Board of Supervisors, said he took action at the time, but declined to say what he specifically did to address Newendorp’s concerns.
Oskaloosa News asked Blomgren to comment on Newendorp’s testimony. “Since the comments of the employee at the meeting of the Board of Supervisors involves personnel issues and alleged HIPAA infractions I do not believe I am at liberty to discuss them,” he responded.
“I think in most counties, the board of supervisors, you would never do an investigation into HIPAA. You would never do a human resources investigation. No county I know of would have their board do that,” Paul Greufe of PJ Greufe & Associates told Oskaloosa News.
Greufe said that most counties hire professional services such as his to do the HR work and would direct those people to start an investigation. “And so that was the process that was followed to the letter.”
Similar Incident in Boston Results in OCR Report
The incident alleged by Newendorp is similar to one that occurred at the Boston Healthcare for the Homeless Program (BHCHP) earlier this year. In that case, someone was not let into the facililty unattended but broke in.
There was unsecured PHI in the facility, but no evidence that the PHI was viewed by the intruder. Still, BHCHP did notify people affected about the incident and reported it to OCR.
The unsecured PHI included handwritten staff notes, printed patient lists, referral forms, and insurance/benefits applications. BHCHP told OCR that 861 individuals were affected by the breach.
BHCHP said it conducted an internal investigation that included a search of the clinic to which the intruder would have had access and interviews with clinic and shelter staff.
The program also ensured that the clinic door was secure and implemented additional safety measures, including an additional lock on internal doors within the clinic and secure storage of keys to internal doors, file cabinets, and storage cabinets.
BHCHP also updated its policies governing how staff use and store patient information.