KP lawsuit doesn’t sniff quite right

It’s about time we had a fun Kaiser Permanente scandal, as it’s been a while, and it appears that they’re having some influence on the side of the angels in DC these days. And tracking vis HISTalk apparently there is one. You can wonder over to this blog to get the full rhetoric but basically it comes down to KP being sued by a former relatively senior techie in the Northern California region who has had a big time falling out with his boss.He has three main accusations.

1. KP kept a registry of dementia patients on an open internal network2. KP employees were dumping personally identified data in the trash3. KP was and is not tracking deductibles and was forcing their members to count up to them—presumably costing their members money for those who were paying cash when they’d already met their deductible.

So let’s parse these apart.

#1 seems to have been true, but it was not illegal. Now it’s very likely that there was a registry of dementia patients available to clinical personnel within KP—at least I’d hope so—and probably some IT specialists who didn’t need it for clinical reasons could get at it too because someone screwed up. But all those people are covered by their employment agreement AND by HIPAA. So it seems to me a big “so what”. But here’s what Kaiser admits to:

The file was on a Kaiser Permanente owned and controlled intranet shared server and was not available to the public.

In response to Mr. Denning’s compliance complaint in 2007, an investigation determined that a valid issue about record control was raised, although there was no evidence of any actual privacy breach, nor any public disclosure of this information. The investigation found that the posting was inadvertent and the document was immediately removed from the drive. Mr. Denning was informed of the outcome of this investigation.

That means someone made a mistake and it was cleaned up, but no patient data was released illegally. You might believe that KP was lying about this except that last year when the Octo-Mum madness happened KP fired a bunch of employees who deliberately accessed the Oct-Mum’s PHI when they didn't need to see it and KP reported it to the state and KP paid a big fine! So it seems to me that KP’s lawyers are extra cautious in these types of situations.

#2 (PHI in the trash) seems unlikely to me too. Now we’re talking April 2008, after the new California privacy law has going into action, and well after KP has started bragging about its online services that it both wants its members to use, and more importantly that it stands to gain financially from if its members do use. By the way they spent $4–6 billion on their new system, and now apparently there’s no money left to pay for a shredding service? I’d need to see really good evidence about this before I believe it. Why would KP be so stupid?

Perhaps I’m just fired up because the blog in question went to Deb Peel for a quote, and you all know what I think about her. And of course, FD, KP has sponsored the Health 2.0 Conference which I run, so you can all accuse me of being bought and paid for. But that doesn’t mean I’m not prepared to rake them over the coals in public and private for their screw-ups (Kidney Transplant, N. Cal exhibit one, Recission stories, exhibit two).

Now #3 (miscalculating deductibles) is a little more interesting and it’s the one that gets the least attention in the article. But I believe this is possible. I have never been a KP member but I have had health insurance which did get my deductible wrong. In fact I bet ever health insurer has had that problem at one time or another. Historically KP has not sold plans with deductibles—that was a move forced on it by its competitors in the early 2000s. So it’s likely that in 2003 KP’s systems were not able to count deductibles accurately at that stage. If that was still the case in 2008 then that certainly needs attention, and it doesn’t get commented on by the KP response email quoted in the piece.

Finally I will say that KP, which has been accused for years somewhat correctly of being opaque in its inner dealings, now has a chance to be much more transparent. I happen to know many KP folk who are venturing down the transparency/Web2.0 path, so I’ll look forward to seeing how this (probably minor) little bun fight shakes out and how they react.

Categories: Uncategorized

Tagged as: , ,

10 replies »

  1. It’s June 2012 and Colorado Kaiser is still not counting deductibles, and asking customers to keep paying. Things haven’t changed.

  2. It is not on whether you’ll hear from usor not, it is more like whether you are even interested in the truth. Rather than being an apologist to the insurance company, why don’t you use your talents for better use and make some investigations of your own.
    We are not into this for 15 minutes of fame, but rather to expose a company that represents all that is wrong with this broken, corrupt HMO model that only serves to line up the pockets of corrupt executives being legitimized by people like you…we are sure that you have the best intentions at heart, but the way to hell is paved with “good intentions”…just do some investigations of your own, the data is out there in public and all you need to do is just look for it!

  3. Resiak, it would be nice to know what my assumptions are and what you think reality is. I’m just making logical conclusions from the outside. You are saying nothing, other than insinuating that I’m corrupt.
    So be a brave kid and reveal who you are to me (by email privately) and I’ll happily state your side of the story if it checks out. At the least you could actually answer my questions.
    Why do I get the feeling I’ll never hear from you.

  4. You are so full of assumptions Matthew that it borders on the sad. First of all, why are you assuming that we are “techies” because we are not. Another thing, we remain anonymous for now.
    KP PR is not needed, they have Mathew Holt for that and you are doing quite a fine job…I guess Health 2.0 must be expensive and needs deep pockets and KP has that in plenty…soldier on good soldier you’re doing a fine job. Just keep watching what is unfolding, maybe you’ll learn a thing or two in the process!

  5. Mat,
    Like we said, let the lawsuit take its course…it will become much clearer then.

  6. I’m clearly not able to comment on the specifics of KP’s internal security systems. But I do know two things.
    One all organizations make mistakes, and how they deal with these mistakes is important. Replying here on this comment thread shows that KP says it has those deductible calculations in place since 2004. Maybe they’re lying, but why would they do that on a public forum with a lawsuit pending? Secondly, both the dementia registry incident and the employee ID theft were investigated by KP. They admitted their problem with the registry and fixed it, and in February discussed the ID breach here http://xnet.kp.org/newscenter/pointofview/2009/020609breach.html Incidentally apparently the data was stolen from a union not KP.
    Two, for all I know Resiak is who they say they are–senior KP IT employees “four or five pay grades above Denning’s, so we think you may characterize us as a “fairly senior” something or another”
    And for all I know they may be right and KP may have a wide open network which all this data could be stolen from with ease. So my questions for them are, one jocularly why hasn’t it happened and secondly, if you are such senior KP employees why have you not either fixed the problem OR brought it to the attention of KP employees at an even higher level. And for that matter why are you working in an organization that you think is so incompetent and so rooted in the past. And why be anonymous?
    And if these things are all covered up, why did Kaiser not cover up its employees behavior in the Octomum case?
    Finally, a word on Kaiser PR. It’s good that Resiak thinks it’s an art and a science that’s been honed over the years. Perhaps he can travel back to the long ago time of 2006 when Kaiser actually did something wrong–completely screwed up the transfer of patients awaiting kidney transplants. And yes some of them probably died as a result, and Kaiser PR was nowhere to be found.
    Now KP is engaging with bloggers and critics in a relatively open manner.
    And finally, finally, whether or not KP HealthConnect has been a waste of $6.5 billion, it seems that the results they’ve been announcing in terms of reductions in mortality and other health outcomes improvements are impressive. Or are they faking this too?

  7. Matthew,
    At Kaiser Permanente we began offering deductible HMO plans in 2004. It’s worth noting that we’re especially proud of the fact that all our deductible plans provide preventive care visits and services without requiring members to meet their deductible.
    Ever since we began offering deductible products, we’ve had systems in place to track and help our members calculate their remaining deductible costs. As soon as members start accumulating toward their deductible, they start receiving a summary that lists service descriptions, accumulated charges towards deductible, and out-of-pocket expenses. After that, they receive an update in each month that their accumulations are updated.
    No system is ever perfect and over the past year or more, we have been working on ways to increase the convenience for our deductible plan members by connecting our deductible cost accumulating system with KP HealthConnect. We’ve made good progress, and look forward to the day when we can provide our members with the best, most accurate and easiest to use system of any plan in the country.
    John Nelson
    Kaiser Permanente

  8. It is so easy that outsiders like yourselves seem to “know” what really goes on at Kaiser and can so eloquently speak about it! The KP apologists are many and as you say Mat, “bought and paid for” and that is precisely what Kaiser counts on! Muddle the waters, obfuscate, negate, distort and so many other neat tricks they have at their disposal.
    It such a true and tried practice that it is beautiful! It is a fail-safe model that has become both an art and a science for the Kaiser PR machine.
    On your post you characterize John Denning as a “relatively senior techie” and that he was, but he was much more than that. He was the director of claims compliance and he took his fiduciary responsibilities seriously. How do we know that? We are Kaiser insiders and knew of him and his work. A couple of us are four or five pay grades above Denning’s, so we think you may characterize us as a “fairly senior” something or another! but that is not the issue.
    Perhaps more than many outsiders, some of us that on a daily basis fight the hard battle to protect our members, their safety, their privacy, their confidentiality and even their well-being, we think we know a little bit more about the internal dynamics of an organizations in a constant state of chaos and shifts. An organization whose very core seems to be held together by nothing more than plain luck and a culture of dodging bullets. Dementia registry on unsecured servers that live an “open, flat-network” without so much as a simple password protecting does not even begin to tell the story.
    There are millions more records containing social security, medical information, credit card information, family history, addresses, phone numbers, name it living on over 5,000 servers easily accessible to over 150,000 employees and thousands of other onsite and offshore contractors and vendors. We think that such an environment is in fact a “public” environment. If you want proof of that in the form of a bullet that was not dodged, simple: just look at the public record as recent as February of this year when Kaiser was essentially forced to admit that 30,000 of their own employees could have become victims of identity theft.
    To those of you who care about such things: how many potential identity thieves may be out there in a population of 150,000 and thousands more in terms of contractors may exist? And how many of those can fall into the temptation where a simple Windows search for “ssn” or “visa” or “credit card” or “mrn” will in a matter of minutes result into a “treasure throve” of spreadsheets, word document and all sorts of files containing everything you need for identity theft? Forget the dementia records, those are interesting, but the other stuff is a different story!
    The interesting thing about this whole situation, it is the fact that it is really that easy to uncover the real state of affairs. It would literally take less than 15 minutes to “open Pandora’s Box” and see “all hell break loose” as any regulatory agency would find out.
    Mat’s comment on the fact that Kaiser spent $4-$6 billion for an EMR is not accurate. KP has already spent a little more than $6.5 billion. Somehow you are assuming that because they spent this much money that a) they spent it effectively and b) they spent it in the right things. If you were on the inside, you’d think differently.
    True, KP would not hesitate in putting millions of secured bins every other square foot, after all, we think they’d cost a lot less than a fraction of $1 billion. But have you asked yourself a simple question: what processes exist at KP to ensure that policies are properly enforced, implemented and tested in an operational environment? We are here to tell you that there is none!
    But rather than argue the points, let the court system take its course. Denning is right, but partly so…there is a lot more than what Denning knows.
    It is only a matter of time until KP’s real situation is uncovered either through the court system or through the work of any properly functioning regulatory oversight…if there is one still left after the Bush years.
    We remain anonymous because we have no quixotic delusions that somehow we will “fix” KP, the market will take care of that and especially if President Obama is successful in his health reform agenda…KP is the past and not the future. Members will get educated and vote with their choices and despite the illusions of Thrive, KP will in the end fail because it has failed to carry on its fiduciary responsibilities and the protection of public trust. In healthcare the cliché adagio of “what you don’t know can’t hurt you” is absolutely not true…what you don’t know not only can hurt you, but can kill you

  9. Re #3, you write: “If that was still the case in 2008 then that certainly needs attention, and it doesn’t get commented on by the KP response email quoted in the piece.”
    Just to clarify and in fairness to KP: I did not ask KP to comment on that specific allegation. I had asked them to respond to the two allegations concerning privacy issues as PogoWasRight.org and PHIprivacy.net are oriented to the privacy issues.
    Re #1: Not surprisingly, perhaps, I disagree with you and think that it is *is* a concern. Allowing unnecessary personnel to have access to an intra network that they do not need access to is an invitation to a breach. We have already seen too many cases where insurance and hospital employees have not only snooped on data but have accessed it and sold it to others for purposes of fraud. The allegation that KP did not secure the registry promptly and that the plaintiff had to repeatedly raise the issue/concern is something that I do want to see more evidence about. If KP got lucky, fine, but as a privacy advocate, I want to know if they really, as alleged, left that registry available for any length of time, particularly after being alerted to the problem.
    Re #2: If you read the full complaint by the plaintiff where it describes how he went out and bought shredders and the like and moved trash bins, you may get a different impression of whether it passes the ‘sniff test.’
    Of course, we all understand that these are just allegations that have not yet been presented in a court with evidence, etc.

  10. Additional discussion of item 1 would be nice. It is a great example of unintended consequences of legislation and how Congress drives everyone to the mega insurers. If we even suspect PHI including SSNs were accessible to people who do not have legal rights to the data we are required to send notice to every one potentially effected and pay for 12 months of credit guard. For small carriers and TPAs such a breach would put us out of business. Even in a case like this where there is zero reason to suspect anyone was harmed or the data was accessed for non legal purposes the penalty is death. I either need to charge my clients more to cover the cost of such an incident, take my chance and lose the family business, or they go with large mega carriers that can afford, and do regularly, to pay the cost. None of these outcomes benefit insured’s or our system as a whole.
    To make matters worse to eliminate risk we were almost to the point we didn’t need to collect peoples SSNs. After 5 years of work to get there Congress decides we must by law collect SSNs and report them to CMS. Besides billions being wasted to move away from SSNs we now have created additional opportunity for the accidental exposure of data leading to wasted cost.
    Item 3 I would not be surprised at all, a few years back, 4-6?, we were a subcontractor on a bid to handle the tracking and billing of deductible and other expenses for Kaiser High Deductible plans. The firm we were bidding under would feed us the data from Kaiser and my firm was to bill the individuals, collect the money, then report back to Kaiser. When we were dropped from consideration I said they would rue the day, it’s nice to see they apparently did/are. Let that be a lesson to those that don’t hire me, karma and I are on very close terms! They didn’t have any internal systems for those types of plans.