[ Monday, June 20, 2005 ]
Kaiser fined $200,000:
I received this in an email today and haven't found an actual news source on it yet (probably will update tomorrow). Anyway, it appears the California Department of Managed Health Care has levied a $200,000 fine in relation to Kaiser's posting of PHI on a fairly obscure web portal. This is apparently the case highlighted by the Diva of Disgruntled. But before you start thinking this is vindication for the Diva, what she did is re-publish the information after Kaiser had removed it from the offending website.
Anyway, here's what I got via email:
FOR IMMEDIATE RELEASE CONTACT: Lynne Randolph
> June 20, 2005 (916) 445-7442
> Kaiser Foundation Health Plan Fined by State for Exposing Patient
> Information on Web
> Confidential data was contained on publicly viewable site
> (Sacramento) Following through on a public promise in March, the
> Department of Managed Health Care (DMHC) has completed an
> investigation and fined Kaiser Foundation Health Plan $200,000 for the
> unauthorized disclosure of patient health information, available on a
> potentially accessible Web site for up to four years.
> "Patients must be assured that health plans will, at all costs, do
> everything possible to protect confidential information," said Cindy
> Ehnes, director of the DMHC. "As we work on broadening the use of
> electronic medical records to improve patient care, on both the state
> and federal levels, health plans must make security of confidential
> information a top priority."
> The DMHC investigation determined that Kaiser was responsible for the
> creation of a Web site used as a testing portal by its information
> technology staff. The site contained confidential patient information
> such as names, addresses, phone numbers and lab results. It was set
> up and available for public viewing in 1999 without the prior consent
> of those affected, in direct violation of state law and the plan's own
> privacy policies.
> DMHC officials were concerned that Kaiser allowed the site to languish
> on the Web in an accessible format and did not act to remove it until
> its existence was brought to the attention of federal civil rights
> authorities in January 2005. In addition, Kaiser authorities chose
> not to inform state regulators until after the site had been reported
> to the media in March. However, Kaiser has since informed all of the
> approximately 150 members who may have been affected.
> "Not only was this a grave security breach, Kaiser did not actively
> work to protect patients until after they had been caught,"
> said Ehnes. "We're
> imposing this fine because we consider this act to be irresponsible
> and negligent at the expense of members' privacy and piece of mind."
> Under state law, a health plan can be fined if they violate the
> confidentiality of medical information, without first obtaining the
> individual's authorization.
> In addition to federal Health Insurance Portability and Accountability
> (HIPAA) laws, state law has its own privacy statutes contained in the
> Civil Code.
> Kaiser officials have until June 25 to present any information to
> dispute the DMHC's findings or the fine will be imposed, and they have
> been cooperating throughout the investigation.
> The California Department of Managed Health Care is the only
> stand-alone watchdog agency in the nation, touching the lives of more
> than 21 million enrollees. The Department has assisted more than
> 633,000 Californians through its 24-hour Help Center to resolve their
> HMO problems, educate consumers on health care rights and
> responsibilities, and work closely with HMO plans to ensure a solvent
> and stable managed health care system.[UPDATE:]
The story is now available here
. If that's a registration site, you can get a snippet here
too. It looks like Kaiser isn't going to fight the fine, though.
But I don't think this is vindication for Elisa Cooper, the "Diva of Disgruntled."
As I understand it (and I could be wrong, but I think this is pretty accurate), Kaiser set up a beta site to test the structure of its electronic medical records architecture. It populated the beta site with some random data, probably pulled randomly from real medical records in Kaiser's system. Information such as patient names and test results were included, but apparently not social security numbers or the like. The site was accessible from the internet (so that it could be tested by multiple parties to make sure it would work, and to allow Kaiser contractors and others to model off of it), but you would really have to know where you were going to get to it. It was very much a technical site, rather than a pretty graphics and text site like this one. Clearly PHI was included, and Kaiser should have substituted phony names; Kaiser should have been more quick in taking the site down once they knew about it, too. One of the outside contractors Kaiser used, the "Diva," got fired by Kaiser, and tried to use this as leverage against Kaiser to get rehired or be cashed out. She publicized the site and how to access it; apparently, she also copied the information off the site and, even after Kaiser had closed the site down, made the information available on the 'net. I think she may have offered it for sale on Ebay, too. That's when Kaiser sued her. Kaiser may have done wrong in putting the information out where it could be accessed by the public, even though the likelihood of anyone accessing it was awfully remote. But further publication of the information by the Diva did nothing to improve the privacy of the information, and in fact reduced the privacy even more.
[Update 2]: Here's
the DMHC website PDF of the press release from above.
Jeff [5:13 PM]
Blogger: HIPAA Blog - Edit your Template