Kaiser Permanente is one of the most admired and well-branded organizations in all of healthcare, but as the Los Angeles Times reported last weekend, its record keeping department suffered a brain cramp that could potentially cost it millions of dollars.
It turns out Kaiser turned over the records of 300,000 of its patients to a Los Angeles-area couple who ran a small record storage business.
Emphasis on the "small"--Stephan and Liza Dean kept the records in a storage space shared by a couple of other businesses, and later their home. They moved hard drives containing patient spreadsheets into a spare room after Kaiser complained their unlocked garage was not secure enough.
However, Kaiser insisted in the article it did nothing wrong in terms of safeguarding patient protected healthcare information (PHI). Despite the fact that it has spent billions of dollars to develop a state-of-the-art electronic medical records system, it was still sending out patient data to people like the Deans, who decided they couldn't spend the money on gasoline to deliver those records when Kaiser requested them.
That contracting choice has led to separate investigations by both California and federal regulators.
"In retrospect, we certainly wish we'd never done business with Mr. Dean," the LA Times quoted a Kaiser spokesperson as saying.
The key phrase here is "in retrospect."
Despite ongoing media reports of hospitals and health plans getting called out for breaches of patient records, this "out of sight, out of mind" attitude about medical records is commonplace. Employees regularly leave laptops in the back seats of their cars containing PHI that gets stolen. Desktops in hospitals remain in offices that are unlocked and often walk themselves out the door.
One of the most amusing accounts I've encountered: The backup thumb drive attached to an MRI machine was taken surreptitiously, no doubt because the swiper needed it for their own storage needs.
Most astonishingly, I recently witnessed a physician nonchalantly admit to a judge that they couldn't turn over patient records and photos because they were on a hard drive that they lost. This occurred in the first moments of a hearing to determine whether she was going to have her medical license revoked. For some reason her attorney told me to go away when I followed up during a courtroom recess.
This rationale, according to the many experts and hospital compliance officials I've interviewed on this topic, is driven by the fact a breach hasn't yet happened to that specific entity.
However, this kind of sloppiness can be hideously expensive. In a report issued by the American National Standards Institute (ANSI) last year, it estimated a data breach at a major teaching hospital in a big city such as New York could cost as much as $26.5 million when counting the costs of notifying patients, legal fees, crisis PR and reputational damage. The breach ANSI simulated for its report began with a mom-and-pop operation losing the records it had stored on the hospital's behalf.
Sound familiar, Kaiser?
Along with the laissez-faire attitude toward storing its patient records, it turns out Kaiser personnel regularly communicated with the Deans via unencrypted emails that contained patient specifics.
Again, this is not a huge surprise. A recent survey by HIMSS indicated that nearly 40 percent of the entities covered under HIPAA still do not encrypt their emails. Security experts tell me there is still a fear left over from a decade ago that encryption software remains hideously expensive and will compromise the performance of IT systems. That's despite the fact that encryption is native on iPads and most other Apple devices, and can be obtained for pennies for pretty much any other computer and smartphone system.
Of course, not every hospital system leaves itself unprotected. Those that have made the investment in protecting PHI are usually those where the cost-benefit argument has been made clearly and forcefully enough to the CFO. - Ron (@FierceHealth)