Breaking up is hard to do: Kaiser Permanente sues former business associate for return of information
In June of 2012, I mentioned a dispute between Kaiser and one of its former business associates, Surefile Filing Systems. At that time, Chris Rauber had reported:
“Kaiser handed over to me several hundred thousand patient records without a written contract” in 2008 and the following year, said Stephan Dean, who owns Surefile with his wife, Lisa. Electronic versions of those records remain in his possession, Dean told the Business Times, and he wants $80,000 he says Kaiser owes his company before destroying or returning them.
Kaiser, not surprisingly, has a different take. At its request, Dean turned over all of its records in 2010 “that had temporarily been stored by this vendor,” says Diana Halper, a spokeswoman for Kaiser’s Southern California region. She alleges that Dean is “falsely claiming continued possession of medical information as leverage to extract an unearned and unfair settlement from a routine business matter that was properly resolved long ago.”
In my blog post, I noted that it was Stephan Dean, owner of Surefile, who had submitted the news link to Rauber’s report to this blog. I asked Dean to provide some proof of his claims. I did not hear from him, but months later, he e-mailed me to reiterate he was still in possession of patient information. I asked him again to provide proof. Again, he did not respond.
In November, Chris Rauber provided a follow-up on the dispute. By then, Kaiser had sued the Dean’s and sought an injunction seeking return of any records.
According to a KP spokesperson:
After multiple attempts to resolve this matter, Kaiser Permanente has been forced to file suit against the Deans. Kaiser Permanente is committed to protecting the medical and personal privacy of its patients under all circumstances and from any possible threat, and will always act decisively to prevent any possibility of threat to the medical and personal privacy of Kaiser Permanente patients and members.
So it appears that by October when they filed suit, Kaiser was acknowledging that not all information had been deleted or returned, even though they had claimed in their June statement that all records had been returned. The seeming contradiction between their June and November statements bore further scrutiny, so I started looking into the dispute more.
In a statement sent to PHIprivacy.net this afternoon, Kaiser Permanente states:
As soon as we discovered that Surefile was not performing the services as agreed, we acted quickly to guarantee the security of our files, and ultimately physically retrieved all of them from Surefile. This was over two years ago, and we are confident we obtained all our patient records. At that time, Mr. Dean purported to have complied with his contract, and returned all the stored records, appropriately destroyed any other records he created, and agreed Surefile had been fairly compensated for its services.
Later, Mr. Dean began claiming he had kept emails from Kaiser Permanente, and spreadsheets Surefile created to track the paper files being archived, and began demanding additional payment to return or destroy these documents. Mr. Dean does not claim to have ever made or kept copies of patient medical files or to have viewed their contents.
In late December, Mr. Dean told Kaiser Permanente that he was deleting email and other electronic information he retained that contained patient information. This is a positive sign, although based on his behavior we will seek independent verification of his claim. The most important thing is that the files themselves were never inappropriately accessed, and we
got all of the hard copies back.
In his November update, Rauber also reported:
Dean said he thought he’d settled the dispute with Kaiser in late March 2011, when he reached a confidential settlement to be paid $110,000 by Kaiser Foundation Hospitals and Kaiser Foundation Health Plan (but not, interestingly enough, Southern California Permanente Medical Group, which Dean says is responsible for many of the relevant patient files). But the settlement fell apart over a variety of issues, including Dean’s refusal to turn over his personal computers to Kaiser without additional compensation and, according to Dean, Kaiser’s refusal to include electronic records in an indemnification of the Deans and Sure File against future damages.
In the March 2011 confidential settlement agreement, Kaiser acknowledged that “Sure File (sic) and KP failed to fully memorialize their business relationship relating to the Services in a written agreement.” (Dean provided a copy of the confidential settlement agreement to the Business Times, he said, after it was included by Kaiser in court documents for the Superior Court case.)
In looking at the court filings, it appears that Dean’s claim that there was no written business associate agreement in effect in 2008 and 2009 when Kaiser handed over patient data may be accurate and that business associate agreements were backdated after the transfer of PHI. Kaiser’s complaint states that they entered into an agreement with Surefile in 2008 and that Dean agreed to comply with the usual terms of their agreements with business vendors, but they do not state that it was a written agreement, whereas in describing agreements made in 2009 and March 2010, they state that they entered into written agreements. According to Dean, however, even the June 2009 BAA was not signed at the time but was subsequently backdated.
Stephan and Liza Dean are representing themselves in this case, and you can read their response to the complaint. In their Declaration, they agree they entered into some of the agreements Kaiser claimed, but specifically deny that they entered into any confidential scanning agreement on November 17, 2009 that involved the Moreno Valley center. Importantly – from a HIPAA standpoint – they allege that Surefile was in possession of patient information from patients at the Moreno Valley Kaiser from 2008 to 2010 even though no written BAA was in place and that many of those records contained psychotherapist notes.
In a case as complex as this one, it is important to reiterate that there seems to be no dispute about whether the paper patient records have been returned. Nor does there appear to be any dispute as to whether any records have been improperly disclosed to others by the Deans; KP has no reason to believe there has been any improper access or disclosure. Their spokesperson states, “There has never been any evidence, complaint or accusation of any record disclosure or inappropriate access at any point in this process. All of the files provided to Surefile for storage were returned, over two years ago.”
But what was in all the unencrypted e-mails that Dean claimed to possess? Correspondence from Thomas Freeman, KP’s attorney, attached to Dean’s Declaration, referred to PHI being in the e-mails. In a statement to PHIprivacy.net, KP states that
By suggesting that unencrypted emails contained PHI, Mr. Freeman was alluding to non-clinical information that is also protected by state and federal law, even such items as names and demographic data. Kaiser Permanente regards all such information as essential to the privacy interests of its members and patients, and consequently is seeking legal protection for this data. If Surefile inappropriately retained emails which contain confidential information, Surefile is obligated to protect those records, and return or destroy them as appropriate. While there are no email encryption requirements under HIPAA or CMIA, our vendors are contractually required to maintain secure environments for all records, and this includes Surefile.
The case is in Riverside Superior Court in Indio.
In light of the Dean’s various claims over the past two and a half years, I would hope that the judge keeps the best interests of the patients in the forefront of any decision-making.
Dean reportedly filed complaints with both the CDPH and HHS, alleging that KP violated state and federal law.
With regard to the former, KP states that they were contacted by the state and have cooperated fully in an “ongoing dialogue with the CDPH on this matter to ensure that this kind of incident will not occur again. There have been no penalties to date on this matter.”
KP says they have not been contacted by HHS, so I guess we’ll have to wait to see what, if anything, HHS does. If Kaiser really didn’t have written BAA’s in place before Surefile was given pallets of patient records or access to records with PHI, HHS might have something to say about that. But the more immediate concern is that a former business associate seems to still be in possession of e-mails that contain PHI, even if it is not necessarily particularly sensitive information.
Hopefully, Surefile will return the e-mails they reportedly agreed to return.