A regional Veteran Affairs manager already embroiled in one whistle-blower retaliation scandal accessed a file that included another whistle-blower’s medical records.
Dr. Michael Adelman, the Veteran Integrated Services Network (VISN) 4 manager, was one of at least 15 people who had access to an Administrative Investigation Board (AIB) file of James DeNofrio, an employee and whistle-blower at the Altoona VA Medical Center, a Pennsylvania hospital in the VISN 4 region. That file included a copy of DeNofrio’s health records, according to a letter shared with The Daily Caller.
An AIB is a formal internal investigation designed to root out bad employees and fix inefficiencies, but many whistle-blowers have complained it has evolved into a form of whistle-blower retaliation.
Shortly after DeNofrio made a disclosure to the Office of Special Counsel (OSC) in 2015, he was the target of an AIB; this AIB took nearly a year to complete before no punishment was taken.
In February 2017, DeNofrio, through a Freedom of Information Act request, received the contents of his AIB, which included a copy of his medical records.
The Health Insurance Portability and Accountability Act (HIPAA) strictly forbids the disclosure of a patient’s medical records without written permission.
Though this is forbidden, this practice is so prevalent that in April 2015, then Office of Special Counsel director Carolyn Lerner testified in Congress about this epidemic.
DeNofrio said that the perpetrators in these cases are rarely punished.
In April, DeNofrio received a letter from Adelman confirming that his medical records had been incorporated into the investigative file and then viewed.
“It was identified that the AIB file was maintained on a Share Point site that multiple individuals had access to,” Adelman wrote in the letter. “Upon investigation of your report it was determined that there was a disc that was disclosed to two people.”
“All information has been removed from the SharePoint and education has been provided regarding the placement of sensitive information on a SharePoint site,” he continued. “The Office of General Counsel is retrieving the discs that contain [protected health information] and providing the requesters with a redacted copy.”
“We are notifying you so that you may choose to take appropriate steps to protect yourself against identity theft,” Adelman wrote at the time.
He didn’t say who accessed DeNofrio’s records, nor did he let on that he himself had access to the records in the letter.
In a separate case, Adelman decided to terminate Dr. Dale Klein, a doctor specializing in pain management turned whistle-blower at the Poplar Bluff, Missouri VA Medical Center, even though that hospital is located in a different region, VISN 15, than the region he heads.
In this case, DeNofrio made a FOIA request, asking for a list of people who had accessed his AIB file, which he’d learned was put on an internal SharePoint system.
“The Share Point was removed with no existing sub-sites on April 13, 2017,” said Barbara Wallace, an employee with the VA regional office who handled the FOIA request in June 2017.
Then, Tim Skarada, another employee and whistle-blower who was the subject of the same AIB, also made a request for the same file.
After Skarada was told the file was still active, DeNofrio filed a new FOIA request, which successfully turned up the SharePoint file. Adelman was the top name listed of those who had access to it.
Adelman, who provided a statement through David Cowgill, the VISN 4 public affairs officer, told TheDC he did nothing wrong in reviewing the AIB information.
“Dr. Adelman did not access Mr. DeNofrio’s medical records. He appropriately reviewed the results of an Administrative Investigation Board (AIB) that included portions of Mr. DeNofrio’s medical records. A privacy complaint filed by Mr. DeNofrio concerning the individuals who had access to the AIB was investigated and access was found to be appropriate.”
But in response, DeNofrio insisted that the law is on his side.
“VA Handbook 0700 (Administrative Investigations) states that ‘information does not lose its protection under the Privacy Act by virtue of being included in an investigation,” DeNofrio said. “Therefore, AIBs must be particularly careful to avoid unauthorized disclosure to others of information derived from Privacy Act systems of records.’ This means that no matter how hard VA tries to justify their actions, they appear to have violated their own policy when Dr. Adelman and / or his many subordinates in VISN4 and the Altoona VAMC accessed my non-employee, HIPAA-protected, personal, Veteran medical records which according to the above policy should never have been put in an AIB or VA SharePoint to begin with. To my understanding, there continue to be ongoing federal investigations into the repeated accesses made to my Veteran medical records as well as many other whistleblowers’ medical records across the VA.”
DeNofrio further stated that any investigation that Adelman referred to would only be an internal investigation because the Department of Health and Human Services has included DeNofrio’s information into a larger investigation on the illegal access of veteran’s medical records in the VA; DeNofrio said that investigation has not yet concluded.
Though an AIB is supposed to last no more than 120 days, DeNofrio’s AIB, which began in December 2015, lasted nearly a year and only ended after repeated queries from media and Democratic Pennsylvania Sen. Robert Casey’s office.
DeNofrio said he was told by then Altoona VAMC Medical Director, Judy Heyman, in October 2016, that he and Skarada had been found guilty of every allegation against them, but that there would be no punishment.
At the time, DeNofrio only received a memo that stated the decision; he’s received everything else — his thousand-page investigative file, SharePoint information, and the list of those who had access to the AIB — only after FOIA requests.