Kaiser Permanente Faces Investigation Over Inappropriate Storage of Patient Records by Contractor
Kaiser Permanente is facing investigation over the handling of approximately 300,000 patient records by a contract storage firm. According to an article in the LA Times, Kaiser contracted with small business Sure File Filing System (“Sure File”) to organize and clear out older patient records on its behalf. As it turns out, the storage firm kept those patient records in a warehouse shared with an individual’s party rental business and Ford Mustang, then in the storage firm’s owner’s personal garage and home.
Although Kaiser retrieved the paper records Sure File possessed upon termination of the contract in 2010, Kaiser recently filed suit, allerging that all of the patient records had not been returned or destroyed when its contract with Sure File was terminated. Patient records, according to Kaiser, were still maintained on hard drives that Stephan and Liza Dean, the couple who own and run Sure File, allegedly kept in their garage with the door open. When Kaiser sued for breach of contract and to recover the files, the hard drives were apparently relocated from the garage to the couples’ home, and the patient records only deleted as of this past New Year’s Eve.
The LA Times article states that HHS officials were notified last year when the Deans filed a complaint. You read that right. The individuals responsible for storing the data in an unsecured warehouse, their garage and their house apparently were the ones who filed the complaint that patient records had not been handled appropriately by Kaiser.
In addition, Stephan Dean reportedly threatened to contact patients directly to inform them of how Kaiser had mishandled their health information. According to the article, Dean claims Kaiser employees repeatedly failed to maintain the privacy of patient information, citing multiple emails sent by hospital employees to him requesting and including patient-specific information such as social security numbers in an insecure manner.
Kaiser was confident that patient information was not disclosed or accessed inappropriately, although employees were disciplined for failing to follow policies. Kaiser spokesman John Nelson stated,
“Kaiser Permanente is committed to protecting the medical and personal privacy of its patients. In retrospect, we certainly wish we’d never done business with Mr. Dean.”
It is not likely that Kaiser is squeaky clean in this mess, given it appears Kaiser failed at a minimum to have a proper HIPAA business associate agreement (HIPAA BAA) in place prior to releasing patient records to the contractor. However, a bigger question is, if OCR is indeed investigating the mishandling of Kaiser’s patient records, what liability may exist for the contractor?
Business associates are independently liable as a result of the HITECH Act for certain of the HIPAA Security Rule requirements, in particular, administrative, physical and technical safeguards for electronic PHI. However, given the uncertainty surrounding business associate liability in the absence of a HITECH final rule, and because the majority of the activities associated with the contract took place prior to 2010, the contractor might only be on the hook contractually for failing to safeguard, return and/or destroy the patient records. Although enacted in 2009, many provisions of HITECH did not take effect until February of 2010.
Assuming Kaiser had obtained an appropriate HIPAA BAA from Sure File, at a minimum, the contractor would have agreed to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information and/or appropriate safeguards to prevent use or disclosure of PHI other than as provided for by its contract. I think we would all agree that storing hard drives with hundreds of thousands of patient records in your garage or home, or records in an unsecured shared warehouse space, is a far cry from implementing reasonable and appropriate safeguards, however reckless the other party may also have acted with regard to the information.
