In Copyright Since September 11, 2000
Help
for Kaiser
Permanente Patients on this public service web site.
Permission is granted to mirror if credit to the source is given and the
material is not offered for sale. The Kaiser Papers is not by Kaiser but is ABOUT Kaiser
Permission is granted to mirror if credit to the source is given and the
material is not offered for sale. The Kaiser Papers is not by Kaiser but is ABOUT Kaiser
ABOUT
US| CONTACT
| WHY THE KAISERPAPERS |
MCRC |
Real risks in Kaiser's contracts
San Francisco Chronicle (CA) (Published as THE SAN FRANCISCO CHRONICLE) - May 23, 2003
Author/Byline: David LazarusEdition: FINALSection: BUSINESSPage: B1Column: LAZARUS AT LARGE
Kaiser Permanente wasn't happy about my column detailing the Oakland health care giant's outsourcing of tech support to companies in India.
I wrote that overseas contractors have access to Kaiser patients' medical data, including lab results and drugs taken; members' personal information, including financial records and home addresses; and payroll files for 135,000 Kaiser employees and 11,000 physicians, including salaries and Social Security numbers.
I also wrote that the depth of members' and employees' information available to techies abroad will increase in coming years as Kaiser proceeds with its ambitious plans to move much of its systems maintenance to Indian firms.
In a letter to The Chronicle this week, Bernard Tyson, Kaiser's senior vice president for communications, and Matthew Schiffgens, senior issues management consultant, responded that "protecting our members' privacy is a primary mission for every Kaiser Permanente employee and physician."
They stressed that all of Kaiser's offshore work complies with the Health Insurance Portability and Accountability Act, or HIPAA, which is intended in part to protect the privacy of members of U.S. health care organizations. HIPAA compliance also figured prominently in internal talking points issued by management to Kaiser employees after my first column on this subject.
Well, let's take a closer look.
I've heard from dozens of past and present Kaiser workers in recent days, and they say that HIPAA in no way serves as a guarantee that patients' and employees' private information will remain private.
Judith Toledano used to work for Kaiser and now handles the info-tech needs of a state health agency in Sacramento that she'd rather not name ("I don't want to get into trouble," she told me.) Among other things, Toledano oversees HIPAA compliance for her department.
"I'm not comfortable having my records go overseas," she said. "It's one thing for Dell to service my computer from India. It's another thing to have someone access my medical records." HIPAA requires that a health care provider like Kaiser ask outsourcing firms to agree in writing that they'll protect members' privacy. The outsourcing firms in turn are contractually obligated never to exploit or misuse information from the provider's computer network.
"But how do you enforce that?" Toledano asked. "How can you possibly enforce something like that when you're thousands of miles away?"
Indeed, this is one of the flaws in the HIPAA system. While violations by a domestic contractor could lead to hefty fines, an overseas outsourcing firm is not subject to U.S. laws and regulations.
The only thing keeping it honest, in effect, is a piece of paper promising that its workers will be good.
"It's a bit of the honor system," acknowledged Ann Geyer, a health care industry consultant specializing in HIPAA issues. "Patients do have reason for concern that overseas outsourcers have access to huge amounts of information." HIPAA does not require organizations like Kaiser to actively monitor the activities of "business associates" such as Indian outsourcing firms, she said.
Rather, action would be called for only if Kaiser should learn of inappropriate behavior.
By then, of course, it's already too late.
"HIPAA is not about patients," Geyer said. "It's about the duties of health care organizations." Kaiser may be fully HIPAA-compliant, in other words, but that doesn't ensure the privacy of its 8.3 million members.
I spoke with a worker at one Kaiser computer center who helps oversee the organization's HIPAA compliance. He noted that any time a third party -- a police investigator, say -- requests members' medical data, Kaiser is obliged under HIPAA to keep detailed records of who accessed the files.
But if a techie in New Delhi opens the same files, no records are required.
"The thinking is that the information is still technically within the company," the Kaiser worker said. "But that's not true. It's now obviously outside."
Gerry Hinkley, a San Francisco lawyer specializing in health care regulatory matters, confirmed that outsourcing firms do not qualify under HIPAA as third parties.
As such, he said, there's no requirement for them to keep records about any information they may have seen or even copied.
"The burden is on the covered entity (such as Kaiser) to have appropriate safeguards," Hinkley said. Kaiser says its outsourcing firms "must abide by our strict security and confidentiality procedures, as well as all federal guidelines regarding patient privacy."
But one Kaiser tech worker I spoke with said there's virtually nothing to stop an errant techie abroad from copying down confidential information from Kaiser's files and exploiting it for personal gain.
"He could send it on the Internet to a friend in this country to get a birth certificate," the worker said, citing a worst-case scenario.
"This data's important to people," the worker added. "I'm a Kaiser member and I don't want anyone knowing I have a certain condition or take a certain drug. I don't want anyone knowing my Social Security number."
I can appreciate that Kaiser takes members' and employees' privacy seriously. But I'm not wrong when I say there's a danger that confidential information could leak out.
And if HIPAA is the best defense Kaiser can muster, then members have every reason to wonder if these guys are really placing privacy foremost among their concerns as they save a few bucks shipping jobs overseas.
Physician, heal thyself.
Index terms: Health Insurance Portability and Accountability Act (HIPAA); BUSINESS; CONTRACTS; HOSPITALS; PRIVACY; REGULATIONSRecord: 3296351Copyright: Copyright 2003 The Chronicle Publishing Co.
Real risks in Kaiser's contracts
San Francisco Chronicle (CA) (Published as THE SAN FRANCISCO CHRONICLE) - May 23, 2003
Author/Byline: David LazarusEdition: FINALSection: BUSINESSPage: B1Column: LAZARUS AT LARGE
Kaiser Permanente wasn't happy about my column detailing the Oakland health care giant's outsourcing of tech support to companies in India.
I wrote that overseas contractors have access to Kaiser patients' medical data, including lab results and drugs taken; members' personal information, including financial records and home addresses; and payroll files for 135,000 Kaiser employees and 11,000 physicians, including salaries and Social Security numbers.
I also wrote that the depth of members' and employees' information available to techies abroad will increase in coming years as Kaiser proceeds with its ambitious plans to move much of its systems maintenance to Indian firms.
In a letter to The Chronicle this week, Bernard Tyson, Kaiser's senior vice president for communications, and Matthew Schiffgens, senior issues management consultant, responded that "protecting our members' privacy is a primary mission for every Kaiser Permanente employee and physician."
They stressed that all of Kaiser's offshore work complies with the Health Insurance Portability and Accountability Act, or HIPAA, which is intended in part to protect the privacy of members of U.S. health care organizations. HIPAA compliance also figured prominently in internal talking points issued by management to Kaiser employees after my first column on this subject.
Well, let's take a closer look.
I've heard from dozens of past and present Kaiser workers in recent days, and they say that HIPAA in no way serves as a guarantee that patients' and employees' private information will remain private.
Judith Toledano used to work for Kaiser and now handles the info-tech needs of a state health agency in Sacramento that she'd rather not name ("I don't want to get into trouble," she told me.) Among other things, Toledano oversees HIPAA compliance for her department.
"I'm not comfortable having my records go overseas," she said. "It's one thing for Dell to service my computer from India. It's another thing to have someone access my medical records." HIPAA requires that a health care provider like Kaiser ask outsourcing firms to agree in writing that they'll protect members' privacy. The outsourcing firms in turn are contractually obligated never to exploit or misuse information from the provider's computer network.
"But how do you enforce that?" Toledano asked. "How can you possibly enforce something like that when you're thousands of miles away?"
Indeed, this is one of the flaws in the HIPAA system. While violations by a domestic contractor could lead to hefty fines, an overseas outsourcing firm is not subject to U.S. laws and regulations.
The only thing keeping it honest, in effect, is a piece of paper promising that its workers will be good.
"It's a bit of the honor system," acknowledged Ann Geyer, a health care industry consultant specializing in HIPAA issues. "Patients do have reason for concern that overseas outsourcers have access to huge amounts of information." HIPAA does not require organizations like Kaiser to actively monitor the activities of "business associates" such as Indian outsourcing firms, she said.
Rather, action would be called for only if Kaiser should learn of inappropriate behavior.
By then, of course, it's already too late.
"HIPAA is not about patients," Geyer said. "It's about the duties of health care organizations." Kaiser may be fully HIPAA-compliant, in other words, but that doesn't ensure the privacy of its 8.3 million members.
I spoke with a worker at one Kaiser computer center who helps oversee the organization's HIPAA compliance. He noted that any time a third party -- a police investigator, say -- requests members' medical data, Kaiser is obliged under HIPAA to keep detailed records of who accessed the files.
But if a techie in New Delhi opens the same files, no records are required.
"The thinking is that the information is still technically within the company," the Kaiser worker said. "But that's not true. It's now obviously outside."
Gerry Hinkley, a San Francisco lawyer specializing in health care regulatory matters, confirmed that outsourcing firms do not qualify under HIPAA as third parties.
As such, he said, there's no requirement for them to keep records about any information they may have seen or even copied.
"The burden is on the covered entity (such as Kaiser) to have appropriate safeguards," Hinkley said. Kaiser says its outsourcing firms "must abide by our strict security and confidentiality procedures, as well as all federal guidelines regarding patient privacy."
But one Kaiser tech worker I spoke with said there's virtually nothing to stop an errant techie abroad from copying down confidential information from Kaiser's files and exploiting it for personal gain.
"He could send it on the Internet to a friend in this country to get a birth certificate," the worker said, citing a worst-case scenario.
"This data's important to people," the worker added. "I'm a Kaiser member and I don't want anyone knowing I have a certain condition or take a certain drug. I don't want anyone knowing my Social Security number."
I can appreciate that Kaiser takes members' and employees' privacy seriously. But I'm not wrong when I say there's a danger that confidential information could leak out.
And if HIPAA is the best defense Kaiser can muster, then members have every reason to wonder if these guys are really placing privacy foremost among their concerns as they save a few bucks shipping jobs overseas.
Physician, heal thyself.
Index terms: Health Insurance Portability and Accountability Act (HIPAA); BUSINESS; CONTRACTS; HOSPITALS; PRIVACY; REGULATIONSRecord: 3296351Copyright: Copyright 2003 The Chronicle Publishing Co.