At a time when concerns about the privacy and security of electronic health records are a hot topic and the issue of private vs. public health insurance is making the front pages, a lawsuit filed by a former Kaiser employee alleges that Kaiser knowingly and repeatedly violated HIPAA, exposed millions of members to identity theft, and ripped members off by not keeping track of deductibles and co-payments.
A whistleblower lawsuit filed by a former employee against Kaiser in Los Angeles County Superior Court names Kaiser Foundation Health Plan (KFHP), KP Program Group, and Robb Munson, Vice-President of Health Plan Service and Administration for KFHP as defendants. The plaintiff is John Denning, a former Senior Enterprise Architect and Director of Claims for Northern California.
Allegations of Unfair and/or Illegal Business Practices
According to the complaint, a copy of which was obtained by this site, Kaiser’s practices have exposed millions of members to identity theft and medical fraud, and have likely cost Kaiser members millions of dollars in overcharges on deductibles and other out-of-pocket patient expenses on insurance products that “were illegal or improperly administered.”
Denning, who began working at Kaiser in 2003, alleges that Kaiser had no system in place to track deductibles and out-of-pocket payment by members. As a consequence, Denning claims, Kaiser retained millions of dollars at members’ expense by essentially forcing the members to prove that they had met their deductibles. Denning alleges that the failure to track deductibles existed from the time he started his employment, was still ongoing in 2008, and was willful, i.e., Kaiser did not do what it could have and should have done. Denning also alleges that Kaiser sold some products to unsuspecting people in states where the states had flatly disapproved of those products.
Allegations of HIPAA Violations
Denning’s complaint also alleges two patient privacy breaches that have never been reported in the media:
1. Denning claims that in November 2007, he discovered a security breach involving all Kaiser members in Northern California diagnosed with dementia. According to the complaint, Kaiser’s Dementia Registry had been placed on a “widely accessible public share drive” on Kaiser’s network. Denning claims that he reported the problem to the KPIT help desk, but the problem continued, and he then reported the problem to the KPIT Compliance Officer. According to the complaint:
That officer told Plaintiff that Kaiser leadership did not care and that there was widespread violations of HIPAA throughout the Kaiser network and throughout the organization. He told Plaintiff that the only way he could get the company’s attention would be to send the information anonymously on a disk to George Halverson, Kaiser Foundation Health Plan’s then CEO, at his home with a note telling him that unless this was corrected by a certain date, the next time he would see the information would be in the New York Times.
Denning claims that he did not do that, but instead, reported the breach to the National Compliance Hotline. Again, he reported getting no response.
2. Denning also claims that sometime around April 2008, Kaiser employees in his building
were regularly dumping thousands of unshredded patient health information (“PHI”) paper records that they had printed that included patient names, other identifying records including their social security numbers, banking information, diagnoses, prescriptions, and other sensitive sensitive information into public trash bins which were unlocked, unmanaged, and totally exposed to public scrutiny.
Denning claims that he reported the situation to the Compliance Officer for his department and followed up repeatedly.
Months later, Kaiser management claimed to have done an “investigation” of Plaintiff’s report and denied that any HIPAA violations had been or were taking place, despite the fact that Plaintiff and at least five other Kaiser employees confirmed that they had witnessed the on-going illegal dumping of patient records.
According to the complaint, he reported the alleged HIPAA violations to the U.S. Department of Health and Human Services (“HHS”) on at least three occasions, and claims to have retained evidence of the violations.
Although Denning claims that Kaiser violated federal law (HIPAA) by not notifying HHS of the breaches he observed, this site is not aware of any provision in HIPAA that would require such notice. Because HHS does not provide information on the status of complaints, it is not clear what action, if any, HHS may have taken or may be contemplating based on his complaints.
There is no indication in the complaint that Denning ever reported his concerns about privacy breaches to the state. According to the California Office of Privacy Protection, there is no state law that requires a non-state agency (such as Kaiser) to report breaches to the state itself.
Could Destroy Public Trust
When informed of the allegations, Deborah C. Peel, MD, Founder and Chair, Patient Privacy Rights provided a statement by email that said, in part:
If the whistleblower’s allegations are true, it is very disturbing, violates HIPAA, and may violate other state laws protecting consumers right to the privacy of sensitive personal information.
Proof of privacy violations of this magnitude will destroy public trust in specific corporations and severely weaken trust in all electronic health systems.
Also very troubling is the whistleblower’s assertion that his repeated warnings about these ongoing violations went unheeded. The Kaiser system holds itself out to the public as an example of a trusted user of electronic patient records. Sadly what is alleged has actually been found to be true of many other health plans and healthcare corporations– as repeatedly reported by PHIprivacy.net and the media.
Kaiser was contacted by email and telephone on several occasions last week to request a response to the lawsuit. And although a Kaiser spokesperson indicated on Wednesday that they would provide this site with a statement, no statement was provided by the time of this publication. It should be noted that the claims in Denning’s lawsuits are allegations that have not yet been proven, or disproven, in court.
Hat-tip, Courthouse News.
Cross-posted from PHIprivacy.net.
Updated 3:04 pm: I received the following statement from a Kaiser Permanente spokesperson, which I am reproducing in its entirety. There was apparently a glitch with an email address, which delayed their transmission and my receipt of this statement for inclusion in the original article:
Kaiser Permanente does not publicly discuss personnel matters. However, Mr. Denning is alleging that he is being retaliated against for reporting compliance concerns and you need to know that is not true.
We encourage employees and physicians to report suspected compliance violations to leadership as well as our Compliance Hotline, where they may remain anonymous if they choose. Kaiser Permanente does not tolerate retaliation against individuals who report illegal, unethical, or otherwise inappropriate acts or against individuals who refuse to participate in wrongdoing.
Mr. Denning reported a number of compliance concerns. We conducted a thorough and unbiased investigation of each of Mr. Denning’s compliance concerns through our established compliance reporting and investigation process.
Confidential waste handling:
Mr. Denning’s characterization of confidential waste placed in public waste receptacles is not accurate. All waste receptacles for confidential patient information are located in secure, non-public, Kaiser Permanente work spaces.In response to the concern Mr. Denning raised, Kaiser Permanente performed an assessment of confidential waste handling throughout the building where Mr. Denning worked. Based on that investigation, we found no evidence that leads us to believe we have not complied with HIPAA requirements.
Further, we found no indication of an actual privacy breach resulting from the paper disposal processes in the building. Mr. Denning was informed of the outcome of this investigation.
Member records on shared drive:
Mr. Denning’s characterization that the records he identified were on a public site is not accurate. The file was on a Kaiser Permanente owned and controlled intranet shared server and was not available to the public.In response to Mr. Denning’s compliance complaint in 2007, an investigation determined that a valid issue about record control was raised, although there was no evidence of any actual privacy breach, nor any public disclosure of this information. The investigation found that the posting was inadvertent and the document was immediately removed from the drive. Mr. Denning was informed of the outcome of this investigation.
At Kaiser Permanente, we know that the trust our members place in us depends in large part on how we protect their confidentiality, privacy, and security, and we are dedicated to earning and protecting that trust every day. We are committed to complying with all applicable laws, regulations, and ethical standards.
Update 2, Aug. 15: Matthew Holt of The Health Care Blog has posted some commentary on the allegations and KP’s response here.
A new law that took effect in 2008 (Health and Safety Code sec. 1280.15)requires health facilities, such as hospitals and clincs, that are licensed by the California Department of Mental Health to report incidents of unauthorized access to patient records to the Department of Mental Health. You will find a link to that law on the Privacy Laws page of the California Office of Privacy Protection web site at http://www.privacy.ca.gov. – Joanne McNabb, Chief, California Office of Privacy Protection
California has really led the way on protecting privacy and notifying individuals if their data has been exposed or breached. And I think that notifying states or a central registry is essential if we are to understand the real scope and extent of certain problems.