Thursday, February 13, 2014

InformaticsMD on NPR Affiliate KNPR regarding electronic medical record privacy: St. Rose hospital group used patient information to solicit patient lobbying?

Radio station News 88.9 KNPR, the NPR affiliate in Las Vegas did a segment today on the following news story.  The station's Senior Producer had invited me to participate via phone regarding patient privacy issues.

Emphases mine:

February 10, 2014 - Updated  February 11, 2014
Federal complaint alleges St. Rose Hospitals violated patient privacy


Dignity Health, the owner of St. Rose Dominican Hospitals, is facing a federal complaint alleging it violated patient privacy by using patient records as leverage in a contract dispute.
According to a Monday announcement from the Nevada Health Services Coalition, Dignity Health used patient records to contact those with coalition member plans after agreements between the two agencies fell through in January, something it contends violates the Health Insurance Portability and Accountability Act, or HIPAA. The complaint was filed with the U.S. Department of Health and Human Services Office of Civil Rights.

The complaint contends St. Rose contacted former patients in an attempt to persuade them to take action with their health plans favorable to St. Rose. The complaint also said that St. Rose claimed their actions were simply to be “informative.”

“It’s our position that patient data collected in the course of medical treatment should not be used to lobby or gain leverage in contract negotiations,” said Christine Carafelli, executive director of the coalition.

The Nevada Health Services Coalition is a nonprofit entity that negotiates hospital contracts for discounted health care service rates for 19 member group organizations, totaling approximately 230,000 Nevada residents.

A spokesperson for St. Rose said they would issue a statement on Tuesday. 

The segment has now completed.  It was hosted by Dave Becker of KNPR.

A representative of the Health Services Coalition (, a local organization of union, casino and local government health funds who bargain together for maximum leverage, participated, as did a hospital VP. 

The coalition is accusing the St. Rose hospital group (a division of Dignity Health) of using patient records to contact patients to urge them to lobby for the hospital in contract negotiations.

I was asked for an opinion on the acceptability of access to patient information in an organization's EHR systems (including PHI such as name, address and other contact information) for purposes of soliciting the patients to lobby the insurers on behalf of the healthcare organization for better terms.

My opinion was clear, which I summarize as follows:

1.  Hospitals do not "own" patient data to use as they please.  Is is not a simple business asset, like typewriters - or computers.  Any belief that a hospital can treat patient records as such, to be used as they pleased, would reflect arrogance;

2.  The HIPAA privacy rule and its exceptions (viewable at, section under "Permitted Uses and Disclosures") would preclude the use of patient's private and protected information in an EHR for selective solicitation for lobbying on behalf of the hospital;

3.  Who accessed the patient information, and exactly what they accessed, is not clear, and an electronic audit trail needs to be disclosed as to these issues;

4.  Harm could potentially come to patients if someone who accessed the information, who otherwise might not have, used it to advantage for other purposes.  This includes, for example, uses outside of the medical sphere (e.g., personal use by, say, a neighbor or competitor).  I am aware of cases of such abuse, as is HHS and so are hospitals (see my blog query links on medical record privacy and confidentiality at and; and:

5.  The hospital could have accomplished such goals transparently, safely, and without access to private health information, by putting an ad on the radio (or newspaper etc.), or mailing a general newsletter such as I often receive from area hospitals, even hospitals where I was never a patient.

A hospital VP contributed soothing words that the hospital respects patient privacy, trusts its employees and doesn't wish this matter to become a stumbling block in negotiations.  However, in my opinion the hospital violated the HIPAA privacy rules and potentially put patient privacy at risk. 

No amount of soothing, deflecting executive language and shifting of the discussion can change that, and a full disclosure accounting would be proper. 

(I note the HIPAA privacy rules do not state "For informational purposes only.  Use patient information however you want if you trust your employees and you think the risk is low..")

That is, assuming an audit trail of sufficient detail is recorded in their EHRs, assuming it is turned on, and assuming it can be trusted in light of the HHS OIG report of Dec. 2013 where many hospitals admitted EHR audit trails can be deleted or edited by a person with appropriate credentials.  (See my Dec. 10, 2013 post "44% of hospitals reported to HHS that they can delete the contents of their EHR audit logs whenever they'd like" at

The segment audio is online here:

-- SS 

Feb. 14, 2014 Addendum:

A thought experiment demonstrates just how far from propriety, in my opinion, this affair is:

If a hospital can use confidential information in this manner, to enlist patients as de facto lobbyists regarding an insurer, then why could not a hospital use other data - e.g., patients' disease burden, smoking status or even sexual orientation to ask them to lobby, say, a politician to gain some advantage, such as certificate-of-need approval for expansion, or anti-competitive legislation?  Or, to ask patients to participate in political activities for/against some politician or group that might hold views or conduct activities favorable/unfavorable to the hospital's interests?

-- SS


Anonymous said...

The EHR data does not have to be accessed directly to enable lobbying such as described in the story. Any data warehouse or decision support application with basic reporting capabilities will be able to provide the demographic information needed in this situation.

InformaticsMD said...

Anonymous said...

Any data warehouse or decision support application with basic reporting capabilities will be able to provide the demographic information needed in this situation.

The propriety of whatever was actually accessed will be up to the authorities to determine and decide, although the sources you mentioned IMO would still likely contain PHI.

-- SS

Anonymous said...

Patients should have the right to opt out of havinf their data stored on someone else's device.

Steve Lucas said...

I told my attorney wife, who has experience with HIPAA, of this and after the “WHAT” she was quite emphatic that this is a violation of the act.

My problem is that I could not think of doing something like this, which proves the type of person we are dealing with has no concept of propriety or respect for the law.

Steve Lucas