Expert: MSU’s handling of medical records could have violated health privacy laws

MSU PICTURE _1522705371370.jpg.jpg

Michigan State University has not informed at least a dozen patients about a potential breach of their confidential medical records at a university health clinic after a doctor associated with Larry Nassar removed their files in 2016.

According to MSU’s policies and procedures, failing to notify patients about a breach is a violation of the university’s own “HealthTeam” policy. It’s also a violation of the Health Insurance Portability and Accountability Act, the law that protects the privacy of people’s health records. It’s commonly known as “HIPAA.”

MSU denies any sort of violation of policy or law, claiming the records were related to patients Larry Nassar treated for USA Gymnastics. However, an expert with knowledge in HIPAA laws says otherwise.

According to university records, Dr. Brooke Lemmen removed several boxes of confidential treatment patient records from MSU Sports Medicine Clinic in September of 2016 amid an investigation against Nassar.

Lemmen, a close friend and co-worker of Nassar’s, told university officials she did it at Nassar’s request. At the time, police were investigating him for allegations of criminal sexual conduct.

The 54-year-old is currently serving his 60-year prison sentence for possessing child pornography. He faces an additional 175 year sentence at the state level after pleading guilty to sexually abusing his patients under the guise of medical treatment.

In March of 2017, Lemmen resigned from her position at MSU Sports Medicine Clinic after the university informed her it was considering her termination for removing patient files and failing to disclose certain information relating to Nassar.

Lemmen later admitted to removing the files but said she returned them, according to university records.

Documents included in Lemmen’s personnel file show, Nassar’s boss, former Dean William Strampel told her that he was “seriously considering termination of (her) fixed term appointment,” due to lack of disclosure and the fact that she removed patient files. And even though she eventually returned the records, that was a “serious breach of protocol and good judgment.”

Because Lemmen’s employment with the university was in question due to her removal of records, the university assumes responsibility, according to Tom Ealey, a professor at Alma College with expertise in physician practice management and regulatory compliance, including HIPAA privacy.

Ealey says that when Lemmen removed patient medical records from the custody of the MSU Health Team, it appears she committed a HIPAA privacy breach.

Lemmen’s attorney, Fred Herrmann, declined to comment.

According to a review of MSU HealthTeam’s “Breach Notification Log,” the university never recorded the HIPAA privacy breach or notified patients of this incident.

That’s despite MSU policies and the law saying a covered entity must do so.

A review of MSU’s HealthTeam policies defines a breach as an “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”

If health officials discover a breach, MSU says “individual notifications must be provided without unreasonable delay” to the affected patients.

That period of disclosure should be no later than 60 days following the discovery of the breach, according to rules the university adapted from the U.S. Department of Health and Human Services.

6 News spoke to at least a dozen Nassar survivors and their parents who say to this day, they have not received any notification of a potential breach. It is unclear how many medical records were taken or how many people they covered.

In response to a Freedom of Information Act request in August of 2017, almost a year after the incident, MSU said it had no record of any HIPAA breach investigation or report related to Lemmen’s removal of medical files.

MSU spokeswoman Emily Guerrant says that’s because the records Lemmen removed belonged to USA Gymnastics, not the university and because USA Gymnastics is not a covered entity under HIPAA laws, there was no breach.

“Neither MSU nor Brooke Lemmen has responsibility for those files, and the reference to her putting her employment in jeopardy was to her colossally poor judgement she made by removing the records at Larry Nassar’s request,” Guerrant said.

Ealey disagrees.

“In his letter to Dr. Lemmen, Dean Strampel very clearly claims ownership and control of the medical records that had been removed from the Sports Medicine Clinic and returned to the HealthTeam,” Ealey said.

It’s worth noting, however, that several other non-related breaches were documented after Lemmen, according to MSU’s Breach Notification Log.

The log details recorded HIPAA breaches at MSU from 2013 through 2016. The type of breaches ranges from accidental sharing of medical information, to illegal viewing of privileged information.

Only one individual was affected in the majority of the cases. The highest number of affected individuals was 18.

In cases involving 500 or more medical records, the incident must also be reported to the Office of Civil Rights.

The OCR declined to comment on whether MSU reported a breach of that magnitude but referred 6 News to a list of current open investigations relating to HIPAA breaches.

There is no such report relating to MSU or Lemmen in that log.

However, through policies and procedures, MSU promises that it will protect all patients’ medical information as enforced under the law.

The MSU Health Team’s “Notice of Privacy Practices” says patients have “The right to be notified of a breach of your protected health information. The HealthTeam must notify you as soon as possible and no later than 60 days following discovery of the breach.”

According to federal law, if the entity has “insufficient or out-of-date contact information for 10 or more individuals” at the time of the breach, the covered entity must provide some type of notice by either posting information on the home page of its web site, in major print, or through broadcast media “where the affected individuals likely reside.”

For 90 days, information about the breach must be made available to patients online and via telephone.

If the covered entity has insufficient or out-of-date contact information for less than 10 individuals, the entity may provide notice of the breach by an alternative form of written notice, by telephone, or other means, according to the law.  

MSU did not do that, according to Nassar’s former patients at MSU Sports Medicine Clinic.

But Ealey says MSU could argue that Nassar produced the records off campus and because of that, are not the responsibility of the HealthTeam.

“The situation is complicated and messy because of the original sin,” Ealey said.

Under his contract with the university, Nassar was expected to engage in “community outreach” which included his role as the team doctor for USA Gymnastics.

Ealey says that while records may have been produced off campus during unsupervised volunteer work or on campus with athletes affiliated with USA Gymnastics, MSU still threatened to terminate Lemmen’s employment, when it learned she removed them.

“If MSU does not claim ownership of the records, any review of the records by MSU personnel might have been a HIPAA violation,” he said. “But then they had to look at the records to determine the origin of the records.”

Ealey also said that unless Lemmen had a “valid clinical or administrative reason to have custody of the records, her possession of records containing Protected Health Information, would likely be a HIPAA breach violation, whether MSU claimed knowledge or custody at the time.”

Protecting Nassar, he said, would not be considered a valid reason for removing the files.

Ealey says another concern is whether Lemmen left an inventory of the records when she removed them.

If she did not, Ealey says MSU will never know if all the records were returned.

“Since we do not know to a certainty if Dr. Lemmen reviewed the records or removed pages, MSU has only the hope she dealt in good faith,” Ealey added.

MSU claims it no longer has the records because they were returned to USA Gymnastics, according to Guerrant.

“I believe that happened after they were taken during/for the investigation,” she said in an e-mail.

6 News reached out to USA Gymnastics for comment. The organization has not responded to our inquiry about whether documents were returned.

According to Ealey, if the records indeed belong to USA Gymnastics, MSU Sports Medicine Clinic has no right to retain those records or examine them.

Guerrant said the files belonged to Nassar, an MSU employee, until he was fired in September of 2016. She said they were related to his work for USA Gymnastics.

That does not explain why Strampel told Lemmen she broke protocol when she removed the records. MSU claims the records do not belong to the university, but says it does not have protocol for custody and control of records that belong to another entity like USA Gymnastics.

Attorneys suing MSU on behalf of their Nassar survivors said in some cases, MSU failed to even produce medical records from patients’ visits at MSU Sports Medicine Clinic, despite patients’ proof of receipt.

An investigation by House lawmakers found the university “failed to adequately protect students and patients on campus” with “multiple lapses in policy, procedure, and culture,” although the investigation does not specifically cite the situation involving Lemmen and the documents she removed from the MSU HealthTeam.

According to the law, a HIPAA violation is when a covered entity or a business associated fails to comply with one or more of the provisions covered under HIPAA Privacy, Security, or Breach Notification Rules.

A violation may be deliberate or unintentional. In either case, financial penalties can be issued by the Office of Civil Rights or Attorney General’s office.

Penalties for unintentional violations will result in lower costs however than those issued for intentional.

An example of an unintentional release of information is when too much personal health information is disclosed and the “minimum necessary information standard is violated.”

Deliberate violations include delaying the issuing of breach notification letters to patients and exceeding the maximum 60-day time period to do so.

Failing to issue such notifications is a result of negligence, under the law.

The Office of Civil Rights will determine a financial penalty based on several factors such as the length of time a violation went unreported, the number of people it affected, and the nature of the data.

The penalty structure is based off four categories:

  • Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
  • Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
  • Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
  • Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

The fines are issued based on the category of the violation, and the amount of time, per year the violation was allowed to persist.

  • Category 1: Minimum fine of $100 per violation up to $50,000
  • Category 2: Minimum fine of $1,000 per violation up to $50,000
  • Category 3: Minimum fine of $10,000 per violation up to $50,000
  • Category 4: Minimum fine of $50,000 per violation

The maximum fine per violation category, per year, is $1,500,000.

According to the Office of Civil Rights, 2016 was a record year for settlements involving covered entities that violated HIPAA rules. In that year, a total of 12 settlements were made and one civil penalty issued by the OCR.

The price tag for the highest settlement amount in 2017 came in at $5.5 million.

Copyright 2019 Nexstar Broadcasting, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

StormTracker 6 Radar