[BreachExchange] Maine attorney general reviews Portland survey of HIV patients for privacy violations

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 15 18:50:52 EST 2018


The Maine Attorney General’s Office is reviewing whether the city of
Portland violated patient privacy laws when it recently gave the names and
contact information of more than 200 people previously enrolled in its
HIV-positive health care program to researchers at the University of
Southern Maine.

City officials apologized last week for not telling patients of the former
HIV-positive program at the India Street Public Health Center that it
planned to share their private health information, addresses and phone
numbers with USM’s Muskie School of Public Service.

However, city officials insisted that sharing the list wasn’t a formal
breach of HIPAA – the federal Health Insurance Portability and
Accountability Act, which aims to protect the privacy of personal health
information – because the law contains exemptions for research and program

Jenson Steel, a member of the health center’s patient advocacy committee,
said he contacted the Attorney General’s Office about the city’s action and
was informed that the office is looking into possible violations of federal
and state patient privacy laws.

“I can confirm that the Attorney General’s Office has received requests to
review the disclosure of identifiable HIV patient information,” office
spokesman Andrew Roth-Wells said in an email Tuesday. “The AG’s office will
be reviewing the requests.”

The city drew fire from patient advocates when it closed its federally
funded HIV-positive program at the India Street clinic in December 2016 and
transferred it to the private nonprofit Portland Community Health Center,
now called Greater Portland Health.

When a city analysis showed that only 33 of 229 patients in the program
moved to Greater Portland Health, the city decided to conduct a survey
through the Muskie School to get feedback on each patient’s experience.


The city has been wrangling with privacy concerns related to the survey for
at least three months.

Dr. Ann Lemire, former medical director at the India Street clinic, said
Tuesday that she was first asked on Sept. 11 to provide a contact list of
former patients for the survey. Lemire declined the request, she said, and
warned that providing such a list to the city would violate HIPAA.

To avoid violating privacy protections, Lemire said, the city should have
sought permission from patients before the program closed in order to
contact them for a follow-up survey. Who created the list and provided it
to Muskie School researchers remains unclear. A USM official said the
researchers were under the impression that the patients had authorized the
release of their information.

“My hope is the AG’s office will go after this HIPAA violation for all of
the patients who were affected,” Lemire said. “Some of them may not even be
aware that their information was shared.”

Former patients received the survey from the Muskie School with a cover
letter – dated Nov. 3 and addressed to “Participant” – indicating that the
city provided their contact information. A USM official said the
institution received the patient contact list in October, after it had
established guidelines for handling and protecting the information.


The city suspended the survey after receiving two formal complaints,
including one filed Nov. 11, city officials said. The city then determined
that it had failed to secure a HIPAA-compliant business associate agreement
with USM before sharing patient information.

The city “corrected that technical deficiency” by executing a fully
HIPAA-compliant agreement with USM after the fact, including additional
privacy protections, city officials said.

Last week, after the Portland Press Herald started investigating patients’
privacy concerns, city officials said they planned to send survey
participants a five-page form letter from Dr. Kolawole Bankole, the city’s
public health director, who also is a member of the Muskie School’s public
health adjunct faculty.

In the letter, Bankole apologized that the city didn’t do a better job of
communicating with survey participants, but denied that it violated privacy

The letter also noted that the city was “implementing new and updated
policies and procedures for ensuring that our health care entities and
programs better communicate with patients regarding uses and disclosures of
their patients’ (protected health information) for these types of research,
program evaluation and business associate-related purposes going forward.”

City officials declined to provide documents related to the survey, which
they said was moving forward and expected to be completed in January.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180215/2f6da229/attachment.html>

More information about the BreachExchange mailing list