InformaticsMD on NPR Affiliate KNPR regarding electronic medical record privacy: St. Rose hospital group used patient information to solicit patient lobbying?

Radio station News 88.9 KNPR, the NPR affiliate in Las Vegas did a segment today on the following news story.  The station’s Senior Producer had invited me to participate via phone regarding patient privacy issues.


Emphases mine:

 

http://www.reviewjournal.com/news/federal-complaint-alleges-st-rose-hospitals-violated-patient-privacy

February 10, 2014 – Updated  February 11, 2014
Federal complaint alleges St. Rose Hospitals violated patient privacy

By STEVEN SLIVKA
LAS VEGAS REVIEW-JOURNAL

Dignity Health, the owner of St. Rose Dominican Hospitals, is facing a federal complaint alleging it violated patient privacy by using patient records as leverage in a contract dispute.
According to a Monday announcement from the Nevada Health Services Coalition, Dignity Health used patient records to contact those with coalition member plans after agreements between the two agencies fell through in January, something it contends violates the Health Insurance Portability and Accountability Act, or HIPAA. The complaint was filed with the U.S. Department of Health and Human Services Office of Civil Rights.

The complaint contends St. Rose contacted former patients in an attempt to persuade them to take action with their health plans favorable to St. Rose. The complaint also said that St. Rose claimed their actions were simply to be “informative.”

“It’s our position that patient data collected in the course of medical treatment should not be used to lobby or gain leverage in contract negotiations,” said Christine Carafelli, executive director of the coalition.

The Nevada Health Services Coalition is a nonprofit entity that negotiates hospital contracts for discounted health care service rates for 19 member group organizations, totaling approximately 230,000 Nevada residents.

A spokesperson for St. Rose said they would issue a statement on Tuesday. 

The segment has now completed.  It was hosted by Dave Becker of KNPR.

A representative of the Health Services Coalition (http://www.lvhsc.org/), a
local organization of union, casino and local government health funds
who bargain together for maximum
leverage, participated, as did a hospital VP. 

The coalition is accusing the St. Rose hospital group (a division of
Dignity Health) of using patient records to contact patients to urge
them to lobby for the hospital in contract negotiations.

I was asked for an opinion on the acceptability of access to patient information in an organization’s EHR systems (including PHI such as name, address and other contact information) for purposes of soliciting the patients to lobby the insurers on behalf of the healthcare organization for better terms.

My opinion was clear, which I summarize as follows:

1.  Hospitals do not “own” patient data to use as they please.  Is is not a simple business asset, like typewriters – or computers.  Any belief that a hospital can treat patient records as such, to be used as they pleased, would reflect arrogance;

2.  The HIPAA privacy rule and its exceptions (viewable at http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/, section under “Permitted Uses and Disclosures“) would preclude the use of patient’s private and protected information in an EHR for selective solicitation for lobbying on behalf of the hospital;

3.  Who accessed the patient information, and exactly what they accessed, is not clear, and an electronic audit trail needs to be disclosed as to these issues;

5.  The hospital could have accomplished such goals transparently, safely, and without access to private health information, by putting an ad on the radio (or newspaper etc.), or mailing a general newsletter such as I often receive from area hospitals, even hospitals where I was never a patient.

A hospital VP contributed soothing words that the hospital respects patient privacy, trusts its employees and doesn’t wish this matter to become a stumbling block in negotiations.  However, in my opinion the hospital violated the HIPAA privacy rules and potentially put patient privacy at risk. 

No
amount of soothing, deflecting executive language and shifting of the
discussion can change that, and a full disclosure accounting would be
proper. 

(I note the HIPAA privacy rules do not state “For informational purposes only.  Use patient information however you want if you trust your employees and you think the risk is low..“)

That is, assuming an audit trail of sufficient detail is recorded in their EHRs, assuming it is turned on, and assuming it can be trusted in light of the HHS OIG report of Dec. 2013 where many hospitals admitted EHR audit trails can be deleted or edited by a person with appropriate credentials.  (See my Dec. 10, 2013 post 44% of hospitals reported to HHS that they can delete the contents of their EHR audit logs whenever they’d like” at http://hcrenewal.blogspot.com/2013/12/44-of-hospitals-reported-to-oig-that.html).

The segment audio is online here: http://www.knpr.org/son/archive/detail2.cfm?SegmentID=10939

— SS 


Feb. 14, 2014 Addendum:

A thought experiment demonstrates just how far from propriety, in my opinion, this affair is:

If a hospital can use confidential information in this manner, to enlist patients as de facto lobbyists regarding an insurer, then why could not a hospital use other data – e.g., patients’ disease burden, smoking status or even sexual orientation to ask them to lobby, say, a politician to gain some advantage, such as certificate-of-need approval for expansion, or anti-competitive legislation?  Or, to ask patients to participate in political activities for/against some politician or group that might hold views or conduct activities favorable/unfavorable to the hospital’s interests?

— SS