Jonathan D. Silver reports:
Monroeville’s assistant police chief has filed a complaint alleging that his own municipality, UPMC and the department’s former chief breached a federal privacy law governing release of medical information.
[…]
The complaint, filed in August by Assistant Chief Steven Pascarella, claims that information about ambulance dispatches was being sent not only to paramedics but also to his old boss, George Polnar, although he was not an active first responder, and was then forwarded by Mr. Polnar to a third party.
Read more on Pittsburgh Post-Gazette. The town’s attorney doesn’t see any problem:
“Who thinks it is a violation? So far the vote is the assistant chief. And he’s practicing law without a license. I don’t see it,” Mr. Dice said. “The only lessons learned out of this mountain out of a molehill is we’re taking names off this list that don’t have any reason to be on there anymore. This isn’t a big deal.”
Actually, I think it is a big deal, although I am not a lawyer, either. Sending information where the patient can be identified to individuals who are no longer covered HIPAA entities and who do not any longer have a need to know strikes me as a very big deal. I would have preferred to see the town acknowledge that privacy was violated by sending information to individuals who should no longer have had access to the information instead of denying any wrongdoing. I will be interested to see the follow-up to this case.
Update 1: “Mike” has posted a link in the Comments section to TV news coverage of this case: http://www.wtae.com/news/local/investigations/Complaint-alleges-police-chief-received-shared-info-from-911-call/-/12023024/16880170/-/ci1kacz/-/index.html
I think their solicitor shows a lot of arrogance. Maybe this town needs a new attorney. Someone needs to ask how long the name was on the list. Also, UPMC really has no comment, really?
I read the Post-Gazette story. It appears to me that the Assistant Chief simply reported a situation that may be a crime. HIPAA is a Federal crime. I would think neither the solicitor nor the Assistant Chief are qualified to investigate themselves.
There are civil violations and not just criminal ones under HIPAA. I don’t see anyone getting criminally prosecuted for these circumstances, but my impression is that there has been a violation of HIPAA’s privacy protections. And as you suggest, it doesn’t really matter what locals say. HHS (and/or the courts) are the finally arbiters of whether there has been a violation.
The criminal question has to be why was the Security Chief on there in the first place? Who put him on there? And when was he placed on there? And, what was he doing with all of that information he was receiving?
Monroeville is a big community. That is a lot of ambulance calls. Were they storing the data?
He was never removed from the list when he retired (he should have no longer received the notices after he retired).
The other issue I see is whether the data were adequately secured on his personal device.
Keep in mind that not all EMS services are HIPAA-covered entities. It sounds like this one may be, though, and if so, there are some legitimate questions here about compliance with both the Privacy Rule and the Security Rule.
A simple question has to be, was he receiving the information on his Municipal issued device or was it on his personal device? If he was retired, you would think they would take away his government issued phone. If he still had the government issued device, they “he was still on there defense” could hold water. But, if he was receiving the information on his personal device, that means they updated it AFTER he retired.
If they failed to take away his device or restrict his access after he retired, that’s still on them and may well violate HIPAA. If you terminate a hospital IT employee, you change passwords/cut off access. Saying “we forgot to” is not an acceptable defense. #n
I love the Fire Chief’s comment, “who cares”?
I forgot to include the URL…Fire Chief Ron Harvey, “who cares”
http://triblive.com/neighborhoods/yourmonroeville/2805293-87/list-chief-responders-emergency-fire-harvey-polnar-department-information-medical
Hope you don’t mind but I tweaked your comment to give the direct url to the story and the fuller comment beneath it.
I am also very curious who these third parties are that were getting the information passed to them. Pure speculation but makes me wonder if it was ambulance-chasing attorneys, as it was in the recent case at Florida Hospital in Celebration? http://www.theledger.com/article/20121022/NEWS/121029798/1134?Title=Man-Pleads-in-Health-Information-Theft-Case
Ambulance chasing attorney’s or ambulance chasing hospitals. The guy who was receiving the information works for the newest hospital in town. The hospital was built a mile from an existing hospital. The competition for ambulance patients is fierce.
It also made the TV news. You would think that the solicitor would have a consistant story.
http://www.wtae.com/news/local/investigations/Complaint-alleges-police-chief-received-shared-info-from-911-call/-/12023024/16880170/-/ci1kacz/-/index.html
So the former chief was receiving these notifications for two years and never said to anybody, “Hey, I shouldn’t be receiving this info anymore?” I think UPMC is probably correct that this has nothing to do with them, assuming that they neither sought nor received any of the information, but the town’s solicitor is minimizing what I think is a real problem.
And what is the town now doing to ensure that all messages sent to people who shouldn’t have received them have been securely deleted from those individuals’ devices?
I really hope HHS/OCR does a serious investigation here.
Do you have any idea how to make sure that HHS/OCR does an investigation?
They investigate every complaint they receive and publish monthly stats. In time, maybe file under FOI for the results of their investigation if there’s no public follow-up.
It is hard to argue that there is no privacy violation given the nature of the allegation– unauthorized access and acquisition . But is the privacy violation a data breach? To answer this question we need to consider both the Federal HIPAA and PA state’s law. If the state agency where the 911 calls are handled is a HIPAA covered entity then the HITECH breach notification rule must be followed to asses if the incident/violation poses a significant risk of harm to the affected individuals to determine whether notification is required. But regardless, the PA’s Breach of Personal Information Notification Act apply to all PA state agencies so this means that even if the HIPPA rule does not apply, the violation falls under the state law IF the personally identifiable information was being stored and transmitted electronically to the previous chief and any third parties. In this case, there needs to be a determination/assessment whether the unauthorized access and acquisition of computerized data causes or the state agency reasonably believes has caused or will cause loss or injury to those involved in the incident. It looks like downplaying the issue is a reflex rather than a thoughtful and sincere assessment of the situation. One must ask why the distribution list is not being kept current when dealing with such sensitive information?
I’ve noted in the past that not all EMS and fire services are HIPAA-covered entities, so your point is well-taken. The fact that these are electronic transmissions, however, would seem to put them under the umbrella of healthcare provider under HIPAA.
There’s no doubt in mind that this is a serious privacy and data security problem. Whether there’s a violation of law, though, remains to be seen. The state’s law is more oriented to ID theft risk than medical privacy from what I saw of it, so depending on what kind of info was involved, there may be no duty to notify under state law.
It isn’t that simple on whether or not this is a HIPAA/HITECH breach.
The qualifier under HIPAA has always been “does the provider submit electronic claims for service?” Most ambulance companies that bill do submit electronically, because Medicare doesn’t accept paper claims anymore, so if they bill, they are probably a CE.
I’m honestly horrified about this. I always try to use these as training exercises for how we can improve our own processes, but this is so egregious I can’t see how to make it applicable!
The data was sent electronically. The one person, we know, sent it to someone else, electronically. It APPEARS he was getting the information for an extended period of time, but we only know of one time where he transmitted to another. The identity of the patient was made with the address, sex and age of the individual by using local voter registration records. Needless to say, that took about 10 seconds. The local paper said that 10 other names were removed from the list. My guess is it was more than that. So at least those 10 were receiving unauthorized electronic communications. Keep in mind, more than just the 3 identifying pieces of information were being transmitted. The patients current chief complaint was being sent but ALSO THE PATIENTS PAST MEDICAL INFORMATION. Imagine an employer getting a hold of that information. Imagine the patient has AIDS, takes psychiatric drugs or has muscular skeletal injuries. Could he have been denied employment because an unauthorized person received the information?