An update to a case previously mentioned on this blog. Jordan Green reports:
A Winston-Salem dentist who made an unsuccessful bid for Congress earlier this year went to court today to try to mitigate the damage of confidential patient information allegedly released to a political consultant whom he fired a couple weeks before the primary.
Superior Court Judge Lindsay Davis ordered political consultant Chris Church to destroy all physical documents containing confidential patient information obtained from Dr. Bruce Peller’s office, to delete any electronic files and to not use the information for any purpose.
“We’re here to protect the personal information of some 10,000 of Dr. Peller’s patients,” Jessie Fontenot, the former candidate’s lawyer, told the judge. “It’s our belief and contention that this information is currently in the possession of Mr. Church. This information, as Dr. Peller has testified, includes not only names, addresses and telephone numbers, but most importantly patient identification numbers, dates of birth, treatment dates and other similar information. It is our belief and contention that Mr. Church gained access and compiled this information through unauthorized and illicit means. What is at issue here is our attempt to try to secure the information to try and mitigate any negative consequences to the patients as a result of Mr. Church’s access to and possible distribution of the information.”
Peller notified his patients and several media organizations, along with the US Department of Health and Human Services, which enforces the Health Insurance Portability and Accountability Act, or HIPAA, of the breach.
But there’s another side to this story, and that other side – the consultant’s – alleges that the dentist/candidate actually gave the patient lists to the consultant or was complicit in him obtaining them:
“Mr. Peller comes into this court with unclean hands,” Jordan argued. “By that I mean that Mr. Peller, by his own testimony, was negligent by allowing or giving Mr. Church these lists or he was complicit and actually took part by e-mailing these lists to Mr. Church. Now he’s coming to court looking for an equitable remedy when he himself testified that he gave the lists to Mr. Church. Now he wants to come in and seek injunctive relief to go in and search Mr. Church’s electronic files. Which I can assure you Mr. Church has a whole lot of confidential information regarding the various clients he’s had throughout the state that’s in his job as a campaign manager.”
And this is the part that really needs HHS/OCR’s attention – what was the dentist’s role in all this? It seems that he admits that he provided some patient information to the consultant – but not all of it:
Peller submitted a list of patients that included dates of birth to the court. He told Judge Davis that the list had been e-mailed as an attachment from Church to David Wyatt, who was responsible for maintaining the candidate’s website.
“The document that Mr. Wyatt forwarded to me had information that had never been in a report before,” Peller testified, “namely dates of birth and e-mail addresses. There’s several criteria for information that needs to be protected. One of the criteria is date of birth. So there wasn’t a problem with an e-mail, or a list that had someone’s name and address and phone number, but once date of birth was included it rose to a different level.”
Jordan asked Peller if it was true that he e-mailed lists with patient information to Church.
“Mr. Church received physical lists from me, which had patients’ names, addresses and phone numbers,” Peller testified, later clarifying that the lists were distinct from the report Church allegedly ran that contained dates of birth and other sensitive information.
“And when you were giving Mr. Church these lists you knew that you were violating the HIPAA law,” Jordan said.
Peller responded, “The names, addresses and phone numbers weren’t in violation of HIPAA.”
Read more on The Yes! Weekly Blog.
Because I am not a lawyer, I do not know if Dr. Peller is correct in claiming that he can give a political consultant a list of patient’s names, addresses, and phone numbers. I don’t think he is and I sure as hell wouldn’t do that myself, but is it legally permissible under HIPAA? And how did the consultant allegedly obtain the rest of the patient info that the former candidate alleges he obtained?
At first blush, it strikes me that the candidate violated HIPAA in one or more ways. At the very least, if he did not actually provide protected info, he seems to have failed to adequately secure PHI.
I really hope HHS/OCR investigate and use this as an opportunity to educate covered entities by issuing a press release on this case.