After Chad Risum’s brother, Scott, committed suicide three years ago, their mother, Rita Jubie, tried to get visitation rights to see Scott’s two daughters.
The girls’ guardian asked to see Jubie’s medical records, saying there was a concern about her mental health, Risum said.
That prompted Jubie to ask Dean Clinic if anyone had inappropriately accessed her records. Dean determined that Brandi Malcook, a licensed practical nurse, accessed Jubie’s records — and the records of Chad Risum, Scott Risum and Chad’s wife and daughter — without any business reason to do so.
The Wisconsin Board of Nursing reprimanded Malcook, fined her $400, made her take classes in ethics and privacy, and required her to be supervised and monitored for a year.
Risum filed a complaint against Dean with the federal government, which enforces the Health Insurance Portability and Accountability Act, or HIPAA. The law requires confidential handling of protected health information. In September, federal officials said they wouldn’t investigate.
The federal refusal to investigate and the nursing board’s discipline against Malcook, which Risum considers too light, leaves him feeling HIPAA is toothless.
“Everybody is led to believe, by the medical community and the federal government, that HIPAA has very serious consequences,” Risum said. “But we’ve been brushed to the side.”
Health care organizations rely on policies, training and technology to protect patient privacy, but breaches still occur, said Angela Dinh Rose, director of health information management practice excellence at the American Health Information Management Association in Chicago.
“It’s human errors and human maliciousness,” Rose said.
Some breaches get a lot of attention, including one in June at Cedars-Sinai Medical Center in Los Angeles. Five workers were fired for peeking at patient medical records after reality TV star Kim Kardashian gave birth to her daughter with rapper Kanye West.
A federal database of breaches affecting 500 or more people in recent years includes eight incidents in Wisconsin: at UW-Oshkosh, Osceola Medical Center, Thrivent Financial for Lutherans, Tomah Memorial Hospital, Memorial Hospital of Lafayette County, Lakeview Medical Center in Rice Lake and two involving the owner of Dean/St. Mary’s Hospital in Madison.
I reported on one of the Dean/St. Mary’s incidents in 2010. Medical data from 3,288 patients were stored on a laptop stolen from a doctor’s house. The doctor, whom Dean didn’t identify, put patient information on her personal computer, against Dean policy.
This October, St. Mary’s Janesville said it notified 629 patients that a laptop stolen from an employee’s car had medical information that was password protected but not encrypted, against hospital policy.
There is no evidence that patient information was compromised in either situation, said Melissa Wollering, a spokeswoman for Dean and SSM Health Care, which owns the St. Mary’s hospitals.
She wouldn’t say if employees were disciplined in those cases or comment on the situation involving the Risums, Jubie and Malcook.
In Chad Risum’s federal complaint, he said Dean didn’t follow HIPAA properly in responding to his family’s breaches. Federal officials, in deciding not to investigate, noted that Dean reported the incident to the state and Malcook was no longer employed by Dean when clinic officials learned of the problem.
Malcook accessed the records of Jubie, Chad Risum, Scott Risum and Chad’s wife and daughter between Oct. 21, 2010, and June 29, 2011, while working at the Dean clinic in Stoughton, according to Dean and state documents. It’s not clear if she shared the information .
Malcook “voluntarily terminated” her job Dec. 2, 2011, a Dean letter says. Jubie didn’t contact Dean about the problem until June 2012.
Malcook’s attorney said Malcook had no comment. In a letter to the state, Malcook said Chad Risum and Jubie asked her to look at the medical records. Risum denies that.
Jubie dropped her request for visitation rights to her grandchildren, Risum said. He declined to discuss what Malcook might have seen in his family’s files. Regardless of the content, “you just feel violated,” he said.