In June of 2012, I mentioned a dispute between Kaiser and one of its former business associates, Surefile Filing Systems. At that time, Chris Rauber had reported:
“Kaiser handed over to me several hundred thousand patient records without a written contract” in 2008 and the following year, said Stephan Dean, who owns Surefile with his wife, Lisa. Electronic versions of those records remain in his possession, Dean told the Business Times, and he wants $80,000 he says Kaiser owes his company before destroying or returning them.
Kaiser, not surprisingly, has a different take. At its request, Dean turned over all of its records in 2010 “that had temporarily been stored by this vendor,” says Diana Halper, a spokeswoman for Kaiser’s Southern California region. She alleges that Dean is “falsely claiming continued possession of medical information as leverage to extract an unearned and unfair settlement from a routine business matter that was properly resolved long ago.”
In my blog post, I noted that it was Stephan Dean, owner of Surefile, who had submitted the news link to Rauber’s report to this blog. I asked Dean to provide some proof of his claims. I did not hear from him, but months later, he e-mailed me to reiterate he was still in possession of patient information. I asked him again to provide proof. Again, he did not respond.
In November, Chris Rauber provided a follow-up on the dispute. By then, Kaiser had sued the Dean’s and sought an injunction seeking return of any records.
According to a KP spokesperson:
After multiple attempts to resolve this matter, Kaiser Permanente has been forced to file suit against the Deans. Kaiser Permanente is committed to protecting the medical and personal privacy of its patients under all circumstances and from any possible threat, and will always act decisively to prevent any possibility of threat to the medical and personal privacy of Kaiser Permanente patients and members.
So it appears that by October when they filed suit, Kaiser was acknowledging that not all information had been deleted or returned, even though they had claimed in their June statement that all records had been returned. The seeming contradiction between their June and November statements bore further scrutiny, so I started looking into the dispute more.
In a statement sent to PHIprivacy.net this afternoon, Kaiser Permanente states:
As soon as we discovered that Surefile was not performing the services as agreed, we acted quickly to guarantee the security of our files, and ultimately physically retrieved all of them from Surefile. This was over two years ago, and we are confident we obtained all our patient records. At that time, Mr. Dean purported to have complied with his contract, and returned all the stored records, appropriately destroyed any other records he created, and agreed Surefile had been fairly compensated for its services.
Later, Mr. Dean began claiming he had kept emails from Kaiser Permanente, and spreadsheets Surefile created to track the paper files being archived, and began demanding additional payment to return or destroy these documents. Mr. Dean does not claim to have ever made or kept copies of patient medical files or to have viewed their contents.
In late December, Mr. Dean told Kaiser Permanente that he was deleting email and other electronic information he retained that contained patient information. This is a positive sign, although based on his behavior we will seek independent verification of his claim. The most important thing is that the files themselves were never inappropriately accessed, and we
got all of the hard copies back.
In his November update, Rauber also reported:
Dean said he thought he’d settled the dispute with Kaiser in late March 2011, when he reached a confidential settlement to be paid $110,000 by Kaiser Foundation Hospitals and Kaiser Foundation Health Plan (but not, interestingly enough, Southern California Permanente Medical Group, which Dean says is responsible for many of the relevant patient files). But the settlement fell apart over a variety of issues, including Dean’s refusal to turn over his personal computers to Kaiser without additional compensation and, according to Dean, Kaiser’s refusal to include electronic records in an indemnification of the Deans and Sure File against future damages.
In the March 2011 confidential settlement agreement, Kaiser acknowledged that “Sure File (sic) and KP failed to fully memorialize their business relationship relating to the Services in a written agreement.” (Dean provided a copy of the confidential settlement agreement to the Business Times, he said, after it was included by Kaiser in court documents for the Superior Court case.)
In looking at the court filings, it appears that Dean’s claim that there was no written business associate agreement in effect in 2008 and 2009 when Kaiser handed over patient data may be accurate and that business associate agreements were backdated after the transfer of PHI. Kaiser’s complaint states that they entered into an agreement with Surefile in 2008 and that Dean agreed to comply with the usual terms of their agreements with business vendors, but they do not state that it was a written agreement, whereas in describing agreements made in 2009 and March 2010, they state that they entered into written agreements. According to Dean, however, even the June 2009 BAA was not signed at the time but was subsequently backdated.
Stephan and Liza Dean are representing themselves in this case, and you can read their response to the complaint. In their Declaration, they agree they entered into some of the agreements Kaiser claimed, but specifically deny that they entered into any confidential scanning agreement on November 17, 2009 that involved the Moreno Valley center. Importantly – from a HIPAA standpoint – they allege that Surefile was in possession of patient information from patients at the Moreno Valley Kaiser from 2008 to 2010 even though no written BAA was in place and that many of those records contained psychotherapist notes.
In a case as complex as this one, it is important to reiterate that there seems to be no dispute about whether the paper patient records have been returned. Nor does there appear to be any dispute as to whether any records have been improperly disclosed to others by the Deans; KP has no reason to believe there has been any improper access or disclosure. Their spokesperson states, “There has never been any evidence, complaint or accusation of any record disclosure or inappropriate access at any point in this process. All of the files provided to Surefile for storage were returned, over two years ago.”
But what was in all the unencrypted e-mails that Dean claimed to possess? Correspondence from Thomas Freeman, KP’s attorney, attached to Dean’s Declaration, referred to PHI being in the e-mails. In a statement to PHIprivacy.net, KP states that
By suggesting that unencrypted emails contained PHI, Mr. Freeman was alluding to non-clinical information that is also protected by state and federal law, even such items as names and demographic data. Kaiser Permanente regards all such information as essential to the privacy interests of its members and patients, and consequently is seeking legal protection for this data. If Surefile inappropriately retained emails which contain confidential information, Surefile is obligated to protect those records, and return or destroy them as appropriate. While there are no email encryption requirements under HIPAA or CMIA, our vendors are contractually required to maintain secure environments for all records, and this includes Surefile.
The case is in Riverside Superior Court in Indio.
In light of the Dean’s various claims over the past two and a half years, I would hope that the judge keeps the best interests of the patients in the forefront of any decision-making.
Dean reportedly filed complaints with both the CDPH and HHS, alleging that KP violated state and federal law.
With regard to the former, KP states that they were contacted by the state and have cooperated fully in an “ongoing dialogue with the CDPH on this matter to ensure that this kind of incident will not occur again. There have been no penalties to date on this matter.”
KP says they have not been contacted by HHS, so I guess we’ll have to wait to see what, if anything, HHS does. If Kaiser really didn’t have written BAA’s in place before Surefile was given pallets of patient records or access to records with PHI, HHS might have something to say about that. But the more immediate concern is that a former business associate seems to still be in possession of e-mails that contain PHI, even if it is not necessarily particularly sensitive information.
Hopefully, Surefile will return the e-mails they reportedly agreed to return.
I will try to answer some of your questions raised here.
First, as far as you reaching out to us to provide proof that we had protected information in our possession. We were quite uncomfortable with this request because if we did provide it we would be violating the law as to disclosing this information to an unauthorized third party which is what you are.
The real problem right now and the reason why we were maintining the PHI was so that we could provide it as evidence to state and federal regulators. After Kaiser filed their lawsuit against us in October 2012, CDPH determined because of our complaint to them that was filed in August 2011, that Kaiser was at fault and did not have appropriate safeguards in place to protect the information. They based this decision on documents we provided as well as conversations we had with them over the course of their investigation. We also sent them samples of some of the emails that Kaiser had sent us. The problem was that because CDPH could not come to our home to physically investigate our computers and view the emails the samples that we sent them could not be used and evidence. Kaiser has been very ambiguous in their answers as far as the emails are concerned. If they feel that an email containing name, medical record, diagnosis, age, address, social security number, admission dates, and doctors names does not need any safeguards how can they claim their patients privacy and proctection is of their utmost concern? In the Times article you will notice that they say encryption is not required, however, they will not admit that they had no safeguards in place when they sent the emails. We felt that it was necessary that we maintain all of the data as evidence. Now that CDPH has confirmed our complaint they have told us that the case will be turned over to CalOHII who has the authority to come visit us in our home and see the data. We have been talking to CalOHII for well over a year and they are aware of the problem. Unfortunately, Kaiser, by suing us has put us in a very vulnerable position. We cannot afford a lawyer to fight for us so we are representing ourselves. As reported in the LA Times, we have under penalty of perjury confirmed that we have deleted all PHI in our custody and control and have retained no copies. So, unfortunately CalOHII, nor the OCR, will be able to verify that Kaiser sent the emails unprotected. The only way that we can be sure that the emails that Kaiser sent have not been accessed by an unauthorized third party is not just to simply have a forensic account come in and confirm that we have deleted the emails and PHI from our computers, this accounting would have to go further, where the logs would be sought from our email provider to see if there has been any unauthorized activity or access to our account. You can see from what we are saying that if Kaiser would have followed federal and state law which require safeguards on emails there would be no problem here and simply deleting would be all that is necessary. We do not feel that we should have to lose our right to privacy and give Kaiser access to our private property for their very negligent conduct. How can Mr. Freeman or his client deny that they sent hundreds of emails that contained PHI on thousands patients and claim that they knew nothing about it until I told them in 2011? As a matter of fact we sent Mr. Freeman copies of some of the emails in September of 2011 so they were well aware of what those emails contained.
We honestly got into this business relationship with Kaiser for the storage of medical records without having the proper knowledge of HIPAA and state privacy laws. We want to assure all Kaiser patients and the public that we have always safely maintained the records, whether paper or electronic, and have never threatened to disclose the information to any unauthorized third party. We are actually considering filing a suit against Kaiser for alleging that we have threatened this. We have, however, told Kaiser we would contact the patients directly to inform them of Kaisers neglegent actions. Contacting the patients directly is not unlawful, but of course Kaiser has done all they can to stop that by getting restraining order.
We are doing our best to litigate this and we plan on peeling the onion and prove that because we blew the whistle internally to Kaiser we were punished and never given anymore work after the contract was given to us in March of 2011.
Maybe this will explain why we are not so open to helping Kaiser fix their mistake without making us whole again for the losses we took when they took all our work away that they had promised in verbal contracts. They claim, and they are correct that we waived all claims against them in the March 2011 agreement, however, we have never agreed to allow them or anyone else access to our emails accounts and computers. Kaiser should pay us the $230,00 they offered and just live with the fact that we would not agree with the terms of shutting our mouths about this.