Today’s Los Angeles Times covers a situation I discussed yesterday involving Kaiser Permanente and Surefile Filing Systems*. Because Chad Terhune’s report involves statements by Stephan Dean, owner of Surefile, some of its details may appear to contradict what I reported yesterday. In actuality, the “he said – they said” nature of the reporting simply emphasizes how serious this case is from the perspective of whether patient information was, and is, protected.
As just one example, Kaiser denied that any PHI in e-mails retained by Dean or the spreadsheets created by Dean contained sensitive information, yet the L.A. Times reports – based on Dean’s statements to them – that “Until this week, the Deans also had emails from Kaiser and other files listing thousands of patients’ names, Social Security numbers, dates of birth and treatment information stored on their home computers. Later in the report, Terhune notes:
Dean said Kaiser showed little concern for patient privacy in handling those requests. Only one out of more than 600 emails from Kaiser was password-protected with encryption, he said. Many medical providers use such technology so information isn’t visible to others.
“Every one of these records is somebody’s life,” Dean said recently, scrolling quickly through what he said was Kaiser information on his computer screen. “We could have sold these emails to somebody in Nigeria, but Kaiser doesn’t care about its patients’ information.”
Kaiser said that government rules don’t require encryption and that “our vendors are contractually required to maintain secure environments for all records, and this includes Sure File.”
Kaiser is correct as far as their statement goes, and if there was a BAA in effect, then Dean is mistaken in claiming that he could have sold those records.
But more to the point: someone is flat-out lying about what information and records Dean did not return nor destroy and the extent to which they were secured consistent with HIPAA’s Security Rule.
California and HHS need to get to the truth and take appropriate action. And the judge overseeing the case in Superior Court Riverside, in Indio, should order Dean to turn over all computers containing any electronic information to be preserved and protected by the court.
* Some reports call the company Sure File Filing Systems, but court records refer to them as Surefile Filing Systems