About Me

My photo
Nazareth, Pa., United States

Wednesday, December 03, 2014

Did NorCo Violate HIPAA With Cost Control Consultant?

I'm at war with Northampton County right now over its refusal to supply email exchanges between the County and C3, the cost control consultant hired to trim health benefits. My appeal is being considered by the state Office of Open Records (OOR).

It is one of C3's people who told County employees, "Nobody subpoenaed you to work here."

Although the County supplied copies of three contracts with C3, it has refused to provide any of its 141 email exchanges, citing numerous reasons. Because I find it impossible to believe that all 141 emails are privileged, I have sought an in camera inspection. This requires the County to disclose copies of the contested information to the OOR for their own review. These documents are maintained in a secured file, with access limited to the Appeals Officer, Executive Director and lawyers who work for the OOR.

On Monday, the OOR ordered the County to provide it with copies of all emails on or before December 15. But the County is dragging its feet. In addition to all the exemptions it raised before, it is now arguing that disclosure to a judicial body of state government could very well be a violation of The Health Insurance Portability and Accountability Act, commonly known as HIPAA.

Though I have made clear repeatedly that I have no interest in specific individuals or claims, and am interested only in the more generalized discussions, the County claims that it exchanged "four (4) substantial excel" spreadsheets with C3 that "contain specific plan participant names and information about what benefit plans they participate in, and in some instances further identify their partipating [sic] family dependents' names and dollar-amounts of usage, social security numbers, etc., which is information relevant to obtaining quotes on certain insurance coverage."

Attorney Dan O'Donnell, Northampton County's very capable Right-to-Know Officer, is right to be concerned. In fact, I have made clear again that I have no interest in these matters, which do strike me as sensitive information.

Here's my question: If the County is so worried about violating HIPAA by disclosing sensitive documents to a judicial state agency that keeps information secure and limits access, why was it so willing to share this sensitive information with C3?

Though C3 has a confidentiality clause in its contracts, in which it promises to handle information provided by the County in the same way that it handles its own information, that's no guarantee of privacy. The Privacy rule in HIPAA requires that employees be notified precisely how the County may use and disclose protected health information about individual, as well as their rights and the County’s obligations with respect to that information.

I doubt very much that any County employee was informed that John Brown intended to disclose their private medical information along with their social security numbers, to a cost control consultant. Though there is a procedure for filing a complaint for this apparent violation, the only ones who will suffer from any fine are the employees and taxpayers.

This is just another illustration why government by consultant is so bad.

20 comments:

Anonymous said...

If we are to discuss honestly then get your facts straight. The so called palace or human service building is not half empty. On fact when workers and departments moved in it was at max capacity. There was little to no room for any expansion and that I took issue with in the development stage.

If there was a violation of HIPAA then Brown can be held personally liable for each violation. Time to remove this incompetent politician from the NorCo government!

monkey momma said...

Health care costs are a major line item on any employer's budget. It makes sense that a cost cutting consultant would need some (but certainly not all) of that data.

What this points to do is the overall ridiculousness of having employers be responsible for health care benefits in the first place.

Bored said...

just increase their payments and move on. much to do about nothing

Anonymous said...

"This is just another illustration why government by consultant is so bad."

Bawhahahaha. The alternative is government by the crooks who've been ripping us off for years. Previous administrations have used consultants. You just don't like this particular one. You said nothing about previous ones that wasted a million on behalf of your coffee and pie buddy.

Anonymous said...

And how do any employees know if this personal and invasive information is being protected?

Anonymous said...

I dont understand why they would need ANY employee information. What purpose does it serve? Why wouldnt general information be all they needed? All employees should file a complaint.

Anonymous said...

What this points to do is the overall ridiculousness of having employers be responsible for health care benefits in the first place.

Employers don't want to pay for healthcare and they don't want to pay increased taxes for universal healthcare. Part of the reason for the ACA was to provide portable health insurance.

Bernie O'Hare said...

"And how do any employees know if this personal and invasive information is being protected?"

You don't. The same information that the County is so reluctant to hand over to a judicial body of the government was handed right over to a consultant, based on a confidentiality agreement that is not worth the paper it is written on.

Bernie O'Hare said...

"What this points to do is the overall ridiculousness of having employers be responsible for health care benefits in the first place"

Yeah, those morons of the past, who actually gave their employees vacations and helped pay for their medical expenses, are so passe in out New Order in which the rich are very rich and the poor must know their place.

If the cost control consultant needed this sensitive data, he needed to sign a very specific agreement and employees should have been notified.

Bernie O'Hare said...

6:21, I deleted the comment preceding yours, which was an assortment of lies having nothing to do with the topic, posted by Henry Schaadt.

Anonymous said...

Thanks for the clarification Bernie!

I agree with your point and will add that Not only employees should have been notified but needed to sign a release so the consultant can see this information.

I for one am anxiously awaiting the results of your RTK.

Thanks for your diligence!

monkey momma said...

"Yeah, those morons of the past, who actually gave their employees vacations and helped pay for their medical expenses, are so passe in out New Order in which the rich are very rich and the poor must know their place."

No no, I mean we should have universal health coverage, independent of our employers' whims.

Bernie O'Hare said...

I agree with that. You to be surprised at the number of Republicans who now bully we need a universal healthcare pretty much as a result of Obamacare

Anonymous said...

Are employees able to contact the feds if they think their information has been used?

Bernie O'Hare said...

Yes. You can even file a complaint online.

http://www.hhs.gov/ocr/privacy/hipaa/complaints/

Anonymous said...

It should be fairly evident by now that this administration will say or do anything they feel is needed to move forward their agenda. Doesn't matter if it is legal or ethical. Nothing changes with these people. They will run you and your rights over unless you push back hard! Good job Bernie as this RTK is a biggie as evidenced by their refusal to cooperate. What are they hiding? We'll soon find out.

Anonymous said...

complaint filed

Anonymous said...

Is it possible to file a complaint anonymously? I'm outraged that my private medical info has been shared with a 3rd party, but I've been an employee of the county long enough to fear retribution...

Anonymous said...

I would also like to know if we can ask for them to look into this without our names? Could we ask for an investigation for all counties?

Bernie O'Hare said...

I believe you have to identify yourself. The Feds say you are protected from retaliation.