IHS addresses privacy breach in its Great Plains Area

On May 30, 2014, it was discovered that a file folder containing protected health information from the Indian Health Service (IHS) Rosebud Service Unit in Rosebud, South Dakota, was inadvertently left by an employee in a public area at the Rapid City Service Unit in Rapid City, South Dakota. Both facilities are in the IHS Great Plains Area which encompasses the states of North Dakota, South Dakota, Nebraska, and Iowa.

The protected health information that was left in the folder at the Rapid City Service Unit included 620 patient names, Social Security numbers, and U.S. Department of Veterans Affairs enrollment information. At this time, IHS has not received any indication that the information has been accessed or used by any unauthorized individuals. The folder was discovered a short time later and was immediately taken to security medical records.

The IHS is committed to safeguarding the privacy of its patients and deeply regrets that this incident occurred. In accordance with regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the IHS has notified the persons involved. On July 16, 2014, the IHS sent letters by first class mail to the affected patients to inform them of the privacy breach and apologize for the incident.

In the letter, patients were provided a phone number to speak to the Area HIPAA Coordinator about the incident. As a measure of added security, the IHS is offering one year of free credit monitoring and reporting services to the individuals involved. In compliance with the HIPAA regulations, information about the breach will be posted on the IHS homepage at http://www.ihs.gov for 90 days.

“The Indian Health Service understands the importance of safeguarding our patients’ personal information, and we take that responsibility very seriously,” said Acting IHS Director Dr. Yvette Roubideaux. “We will do all we can to work with patients whose personal information may have been compromised. We regret that this incident has occurred and we are committed to preventing future occurrences.”

In accordance with the HIPAA regulations, an investigation has been completed, and appropriate follow-up actions and determination of accountability measures will be undertaken by the appropriate management officials. To prevent future occurrences, all Great Plains Area staff will receive additional training in current HIPAA privacy and security rules.

The IHS, an agency within the U.S. Department of Health and Human Services, provides a comprehensive health service delivery system for approximately 2.1 million American Indians and Alaska Natives who are members of federally recognized tribes.