[BreachExchange] Official admits Portland didn’t initially follow proper protocols in disclosing patients’ information

[Destry Winant]

http://www.pressherald.com/2017/12/13/official-admits-city-didnt-initially-follow-proper-protocols-in-disclosing-patient-information/

A Portland official acknowledged Tuesday that the city did not
initially follow proper protocols before sharing the protected
personal health information of more than 200 HIV-positive patients
with researchers at the University of Southern Maine.

“Although USM’s researchers’ original written assurance that they
would protect such information did not include all of the language
required in a HIPAA business associate agreement, the city and USM
promptly corrected that technical deficiency by executing a fully
HIPAA-compliant business associate agreement,” City Hall
Communications Director Jessica Grondin said in a written statement
Tuesday evening.

Two former patients at a city-run clinic and two doctors who worked
there have accused the city of violating the Health Insurance
Portability and Accountability Act, or HIPAA, which is intended to
protect the privacy of personal health information. Their accusation
stems from the fact that the city did not get written permission from
patients before sharing their names and contact information with
researchers.

The two doctors at the India Street Public Health Center also
criticized the city’s response to the concerns of patients who
received care at the city-run clinic. And a former patient, who is
part of a group overseeing the USM survey, pushed back against the
city’s assertion that the group was fully informed of the city’s plans
to pass the patient information to researchers.

Earlier Tuesday, Grondin said city attorneys had advised staff –
including Julie Sullivan, an adviser to the city manager and the
city’s former public health director who oversaw the process, and Dr.
Kolawole Bankole, the city’s current public health director who is
also a member of the Muskie School’s Public Health Adjunct Faculty –
to not give interviews.

“We are not going to do interviews,” Grondin said then. “The
information we sent you speaks for itself.”

Grondin brushed off a reporter’s request for the names of the city
employees who created the list of patient information and gave it to
USM so they could conduct a survey of former HIV patients at the
city’s health center. The survey is designed to get feedback about
each patient’s experience in finding new medical providers after the
city closed its Positive Health Care program last year.

SURVEY SUSPENDED AFTER COMPLAINTS

Mayor Ethan Strimling said he supports the survey, but wants to ensure
that the patients’ concerns are being addressed. He also is interested
in seeing new policies and procedures the city says it adopted after
the backlash from patients.

“I feel like doing the survey was very important,” Strimling said. “I
want to find out what happened to the patients who were there. I hope
we can figure out a way to make this work for the patients and the
researchers going forward.”

Former patients were first notified of the survey in a Nov. 3 letter
from USM, which indicated that researchers received their contact
information from the city. A USM official said in an interview that
the institution received the information in October, after its
institutional review board had established guidelines for handling and
protecting the information.

The city suspended the survey after receiving two formal complaints,
one of which was filed Nov. 11. After an investigation, the city
entered into a new agreement with USM that included additional privacy
protections. The survey is now moving forward and is expected to be
finished in January, city officials said.

City Councilor Belinda Ray, who leads the council’s Health and Human
Services Committee, which will review the survey results, did not
respond to a request for comment Tuesday.

In a letter sent to patients Nov. 11, Bankole said the HIPAA law
allows the city to share protected health information without patient
consent for the purposes of research or program evaluation, provided
that researchers ensure the confidentiality of that information and do
not identify any patients in subsequent research reports.

PENALTIES FOR VIOLATIONS CAN BE HEAVY

Patient privacy violations under HIPAA can be costly. The U.S.
Department of Health and Human Services, as well as state attorneys
general, have authority to investigate improper disclosures, negotiate
settlements and impose civil or criminal penalties. The severity of
those penalties depends on the nature and circumstances of the
violation.

In February, the DHHS Office for Civil Rights fined Children’s Medical
Center of Dallas $3.2 million after someone stole unencrypted mobile
devices containing information on more than 6,000 patients. In another
case, St. Luke’s-Roosevelt Hospital in New York was fined $387,000 in
May for disclosing protected information about an HIV patient to the
patient’s employer.

The incident in Portland reopened old wounds caused by the city’s
decision to transition a federal grant for the Ryan White HIV Positive
Health Care, which served many LGBT patients, to the Portland
Community Health Center, which is now Greater Portland Health. In
hours of public testimony, patients pleaded with councilors to
preserve the clinic, but the council moved forward with the plan last
year. A city analysis showed that only 33 of the 229 patients moved to
Greater Portland Health, which was fewer than expected.

Two former doctors at the city clinic said they had previously warned
the city that creating a list of patient names and contact information
would be a breach of privacy.

Dr. Caroline Teschke, the former program manager at the clinic, said
the federal agency that funded the Ryan White Program a few years ago
required the city to get written consent from each patient before
reporting individual data to the federal agency. Before that change,
the agency only collected aggregate data that did not identify
patients, she said.

“They were absolutely adamant that we obtained consent from every
single person in the program,” Teschke said. “The consent had to be
written in such a way that patients knew exactly what was entailed
before their information was released. It was time-consuming, but we
did it. In addition, a standard consent form always spells out in very
specific terms what may or may not be released, and individuals have a
right to exclude certain information if they so wish.”

USM Assistant Provost of Research Ross Hickey said USM researchers who
received the initial list of patient names and contact information
were under the impression that the patients had authorized the release
of their information.

Hickey did not respond to questions Tuesday about why the university
believed patients had consented to the release of their information
and how USM received the patient information: by email, certified mail
or another means.

After the city received complaints, it suspended the survey. It then
entered into a business associate agreement with USM, which is one of
several ways to share patient information without consent, according
to a summary of privacy protections posted by the federal DHHS.

The city’s letter to patients contained an apology for not doing more
to inform patients about the survey ahead of time. It also noted that
the city was “implementing new and updated policies and procedures for
ensuring that our health care entities and programs better communicate
with patients regarding uses and disclosures of their patients’
(protected health information) for these types of research, program
evaluation and business associate-related purposes going forward.”

LETTER MADE ‘A BAD SITUATION WORSE’

The city would not provide a copy of the old and new policies and
procedures when asked Tuesday. Nor did it provide blank consent and
release forms that patients at the HIV clinic may have been asked to
sign.

Meanwhile, Teschke and Dr. Ann Lemire, the clinic’s former medical
director, said that the city’s letter, which is loaded with legal
terminology, only made “a bad situation worse.”

“Once again they have violated the patients’ integrity with their lack
of respect by sending this letter that no one will understand,” Lemire
said. “I hope that people will feel free to contact the Attorney
General’s Office for a solid opinion and not rely on those proposed in
this letter.”

A spokesman for the AG’s Office said Tuesday that it could not
immediately answer questions about the circumstances under which an
institution can share health information with researchers without a
patient’s consent, and whether the rules were different for sexually
transmitted diseases, such as HIV.


Lemire, who said she refused to provide the list when asked six weeks
ago, said the city should have been extra careful with the HIV patient
information because it was a relatively small group. “No institution
worth its salt would do research without an updated consent on what
the research was, how it would impact the patient (both privacy-wise
and participation-wise) and by what means would the results be shared
with the participants,” she said in an email.

DISPUTE OVER MAILING PROCEDURES

A member of the city’s Patient Advocacy Committee also pushed back
against the city’s response Tuesday.

Jenson Steel, a former patient at the city clinic and committee
member, said Sullivan, the city’s former public health director, told
the committee Aug. 29 that the city would be mailing the surveys, not
USM, in order to protect patient privacy.

Grondin said that wasn’t the case.

“USM was at the meeting we had with the PAC – and we spoke clearly
about what the process would be,” she said. “We asked explicitly about
how to contact people in the hour-and-a-half meeting that was held. We
have kept the PAC informed all along.”

Steel said he would “testify in court” that Sullivan assured the group
that the city would be mailing the information to patients. He sent an
email to Grondin on Tuesday afternoon, seeking an apology.

“I specifically voiced that the mailing has to come from the city or
there would be repercussions from the patients,” he said, adding that
he was upset that the city was trying to “discredit a displaced
patient who was trying to help.”

“They can dispute it all they want,” he said.