To Whom It May Concern:
The Meskwaki Tribal Health Clinic takes patient privacy and confidentiality very seriously and understands the boundaries in which the facility and the staff can and cannot operate under federal law. Staff are provided annual HIPAA training to ensure they remain up-to-date on the latest updates to the privacy act and other related laws that govern patient health information protection.
There was an incident recently brought to my attention in which the check-in process on our I-pads were providing predictive text to patients as they typed in their name. Once discovered this feature on each device was disabled. This is an internal setting on the I-pad and not related to the check-in software the Clinic is using, Clear Wave or our electronic health record (EHR) software. Staff are now manually checking each I-pad following the use by a patient to ensure the predictive text option is not turned back on. While I looked into this incident, I also relayed the information to the Tribe’s Attorney General’s Office for their review. Given no private information was revealed, we determined this to be a non-reportable event and created a policy on I-pad usage and check-in processes.
We looked thoroughly into the situation and based on the software we use and how it is set up, you cannot access any information unless you have the matching name and DOB. So while the predictive text may have offered an option for another last name, unless you personally knew this individual’s DOB and intentionally submitted their information knowing it wasn’t you, there is no way to move on to the check-in process and it is aborted. Using support staff from Clear Wave, we ran reports of check-in and aborted check-ins for the day in question and no names out of the ordinary popped up and no names that were not supposed to be there, showed up. This data is captured electronically the instant the I-pad is used for auditing purposes. Finally, the I-pads do NOT contain our EHR software so there is no way to access any patient medical records, at all.
To ensure all ends were covered, the Clinic did submit a self-reported notification to HHS. We do believe, in all fairness, staff or the facility did NOT violate any HIPAA laws regardless of claims made by any individual. The Clinic performs an annual Security Risk Analysis on all equipment and addresses any findings. To this date, the Clinic has never had any at-fault HIPAA violations and our goal is for continued compliance.
We take this part of our jobs very serious knowing the health information collected is private, owned by the patient, and understand on our end what the law requires from staff and the facility. We honor the trust the community puts in our staff and facility. The Meskwaki Health Clinic wants to continue operating in such a manner, that trust is never a question in anybody’s mind.
Thank you for allowing us to provide all your health care needs. Any questions can be directed to Rudy Papakee, Health Director, at 641.484.4094.
Thank you,
Rudy Papakee, MHA
Health Director
