Uncategorized

HEALTH PLANS: The Gadfly seems to have caused Kaiser real trouble

So the Gadfly has really had an effect, and in some ways so has THCB. But I’m not sure it’s a good one. Yesterday for the breach of patient confidentiality that was fairly exhaustively documented on THCB and elsewhere, the California Department of Managed Healthcare (DMHC) fined Kaiser $200,000.

Just to remind you, some contractor left some database schemas of Kaiser’s Health Connect project on an open web site some time between 2002 and 2004. Somewhere in those charts, which I looked at (not knowing what was in them) were patient records for 150 real live patients (although I never saw one and the Gadfly said that she only ever saw three and never knew they were real). The Gadfly linked to the site from her website, and after she wrote to me, I put it in a story here last August. Within a few days, that website had been taken down, and I assumed that that was that.

But apparently not. The Gadfly, who was involved in a nasty if unrelated dispute about her firing, had mirrored and copied the site to prove (at least to her satisfaction) that Kaiser was doing something wrong. Kaiser apparently is being fined for not reporting its breach of confidentiality. "DMHC officials were concerned that Kaiser allowed the site to languish on the Web in an accessible format and did not act to remove it until its existence was brought to the attention of federal civil rights authorities in January 2005. In addition, Kaiser authorities chose not to inform state regulators until after the site had been reported to the media in March. However, Kaiser has since informed all of the approximately 150 members who may have been affected." So playing out the time-line, Kaiser knew (we can assume) in August 2004, started going after the Gadfly in March 2005 when the story broke in the SJ Mercury News, but apparently had been told by the Civil Rights Commission in January that there its data had been (or still was) online, but didn’t inform the DMHC until March.

However, given that they had taken down the offending site the previous August, really Kaiser is being punished for not informing DMHC when it knew, rather than keeping it quiet and pretending (or at least insinuating pretty heavily) that it was the Gadfly who’d allowed public access to the site. But then again the Gadfly was allowing access to the data from August 2004 until March 2005, although it was a mirror of the site that had been up for over two years.

In some ways there is some karmic justice to all this. Kaiser didn’t treat the Gadfly at all well as an employee. She went after them rather too aggressively, even if she didn’t know that she was showing real patient data. Kaiser in turn responded in a more than proportionally aggressive response, and never tried to work it out with the Gadly to see if some reasonable accomodation to her problems could be reached. And they failed to do the CYA necessary to stop themselves getting in trouble with DMHC. But if $200,000 is a fair fine, then it’s more than $1200 per person, and probably more than a few thousand dollars per actual viewing by anyone on the web. So to my mind that’s a more than proportional punishment.  And I’m not sure that it’s not just DMHC grandstanding–I mean I know it was against the law, and Kaiser was slow, but I can’t see that that much harm was done to any of those patients.

Now Kaiser is a very wealthy organization and had a very good year last year ($481m profit in Q1 2005 alone), so $200,000 is not exactly that much to it. But on the other hand, it’s real money that could be used to provide health care to many needy people, and I suspect that had just a little been spent on better health insurance for the Gadfly, all of this could have been avoided. Of course the DMHC can now try to go after the Gadfly, but it appears that HIPAA privacy requirements do not apply to individuals.

So the lesson for health care organizations is mind your data and mind your employees, and treat both with common sense.

Livongo’s Post Ad Banner 728*90

Categories: Uncategorized

Tagged as:

7
Leave a Reply

7 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
6 Comment authors
Carol RickmanDiane DickgadflyRon Greinerjib Recent comment authors
newest oldest most voted
Carol Rickman
Guest
Carol Rickman

Kaiser Permanente Hospital killed my 45 year old daughter. It took 8 months of being confined there and EVERY error being made. She went in for the draining of an abdominal abcess and wound up with flesh eating bacteria .The physician even ordered an antibiotic she was highly allergic to in my opinion to make her go away.She caught it before it could be administered. I have pictures and can tell a story of the horror she went through.I was there so much of the time so can personally attest to the doctors actions. Of course there were some good… Read more »

Diane Dick
Guest

Good JOB GADFLY.
THE C.E.O and admistration must have all gotted ‘HIP BOOTS’ FOR XMAS. Other wise there would be up to the waists in ther own B.S. by now.
Hang in there..
Grandma Dee.

gadfly
Guest
gadfly

Ps. Matt – the DMHC report seems to indicate the Systems Diagrams were on the web since 1999. December 2002 was just the earliest date I got from the Internet Archive.

gadfly
Guest
gadfly

I’m just relieved that the DMHC confirmed that I’m not the person who put the patient information on the web. I’ve been fending off Kaiser’s insinuations that I stole patient data and put it on the web myself for three months now. I’m still embroiled in the lawsuit. In the Chronicle article this morning, Kaiser was still getting the last word with, “What she did was unlawful, and we will vigorously pursue that…” All I have ever wanted was for Kaiser to stop covering things up, stop playing block and tackle, stop smearing people and wearing them down. I want… Read more »

Ron Greiner
Guest
Ron Greiner

Good job gadfly,
My father, may he rest in peace, had Kaiser. The horror stories. Thank you for getting even for him.

jib
Guest
jib

Paging Dr. Spitzer: If I recall correctly, Health and Human Services has not yet imposed a single fine for a HIPAA security violation. (My source is an article in the Chicago Tribune a few months back before the security rule went into effect. So my information may be no longer correct.) That of course would make the California DMHC fine of $200,000 the largest on record yet for a health care provider involved in a security breach … Anyone know the appropriate source for data on complaints and their resolutions? If it’s true, that may or may not say something… Read more »

Kaiser PermanenteThrive
Guest

There are several larger issues at stake:
1) Kaiser deals with *all* disputes this way, by obscuring evidence and shifting blame
2) Kaiser didn’t only fail to report the breach to the DMHC, but deliberately lied about the gadfly’s involvement to cover up its own wrongdoing
3) If Kaiser can’t secure the data of 140 patients it certainly isn’t worthy of administrating a national EMR
Matthew still thinks Kaiser is “on the side of the angels.” Me thinks everyone who believes this way about Kaiser should sign up immediately and find out the hard way.