At least one Pacific Northwest hospital is getting private medical details of patients who do not seek care there – without those patients’ permission – in what may be a violation of federal laws, according to documents obtained by The Lund Report. And the situation may extend far beyond the PeaceHealth-owned hospital where these privacy breaches have been documented.
Documents show that when at least one doctor left PeaceHealth St. Johns Medical Center in Longview, Washington, officials at PeaceHealth did not “disassociate” from that physician in an online tool that is widely used within the industry. As a result, when the doctor joined an unrelated clinic, PeaceHealth St. Johns officials could access the records of the doctor’s new patients – without the permission of the doctor or his patients.
A former PeaceHealth employee who spoke to The Lund Report on condition that she not be named provided the documents. She said her online access to the CoverMyMeds website shows that multiple medical providers are still linked to PeaceHealth St. Johns in the system – making their private prescription health records visible to a health system where they are not receiving care.
CoverMyMeds said that it takes privacy seriously, and that the error appears to reflect incorrect use of its services by PeaceHealth. PeaceHealth did not respond to a request for comment by press time.
CoverMyMeds is a website that connects hospital and clinic electronic health records with insurance data and pharmacies, to track medical claims and help providers and pharmacists respond when a prescription request is rejected by an insurer. Hospitals and clinics have access to patient records when they are associated with a specific provider’s unique National Provider, or NPI, number.
The Lund Report’s source also offered screen-shot evidence that at least one PeaceHealth employee has accessed patient prescription records of a physician no longer employed by the Catholic healthcare giant.
“I’m unsure of where fault will land in a legal sense,” the former PeaceHealth employee said in an email, when asked whether the situation reflected an error by PeaceHealth or by CoverMyMeds. She said that she had repeatedly reported that NPI codes continue to be associated with doctors after they leave PeaceHealth to both organizations.
“In my opinion, both parties are absolutely at fault. They may have both had a little bit of naïve or disregard for the technicalities of it in the beginning, as you can’t possibly know what you don’t know,” she said in an email. “But that excuse became void the second they were both informed. And the third time they were both informed, is just plain disrespectful and rude to the patients and providers who were involved.”
Asked to assess a summary of the situation by phone, Massachusetts-based attorney David Harlow, who consults on healthcare law and has written about the Health Insurance Portability and Accountability Act, said this information sharing could violate HIPAA – though he was not familiar enough with the details to be certain.
“In HIPAA, there’s a notion of minimum necessary information sharing,” Harlow said. “The basic idea is that information should not be shared if there’s no good reason to share it. This should not be happening as a matter of course.”
At the same time, Harlow said, the harm from what might be a patient privacy breach appears to be minimal.
“If you are sharing information – possibly inappropriately – it’s better to go to a healthcare organization than to a random third party. At least when the data goes back to a hospital, the hospital has the ability to maintain the integrity of that data.”
Officials at CoverMyMeds maintain that is it the responsibility of hospitals and clinics to use its online tools responsibly.
“Like all enterprise software, organizations that use our technology need to manage employee access,” marketing director Chrissy Hand said in an email. “To make this as easy as possible, we encourage use of our single sign-on (SSO) capabilities and EHR integrations, both of which integrate with hospital system domain accounts to provide employee provisioning and de-provisioning. We outline the privacy responsibilities of organizations that use our service in our terms of service and business associate agreements.”
Hand referred The Lund Report to CoverMyMeds’ online privacy center at https://www.covermymeds.com/main/privacy_center/, and said that the company’s privacy officer, Mark Osoteo, would work directly with any hospital that needed assistance to disassociate from former health providers.
“We are concerned about a potential privacy issue,” Hand said. “If your source, or an associated employer, did not disassociate their former employee’s account and needs help, Mark would like to walk them through the process.”
Although PeaceHealth did not respond to The Lund Report’s request for a comment for this story, the healthcare organization has previously referred to documents provided by its former employer as signs of a patient privacy violation by that employer – who has acted as a whistle blower about other patient privacy concerns as well. In November of last year, the former employer was reported to law enforcement by PeaceHealth, and her computers and files were seized, but she was never charged.
“To help prevent future incidents such as this, we are enhancing processes to ensure former employees are not able to access third-party websites and portals under any circumstance,” Gary Chodo, vice president of organizational integrity for PeaceHealth, said in a press release issued last year.
The former employee said that as of this month she is still able to access evidence that former PeaceHealth doctors’ prescription records are being accessed by PeaceHealth after they leave its Longview hospital.
To contact The Lund Report, email [email protected].
