It is one of C3's people who told County employees, "Nobody subpoenaed you to work here."
Although the County supplied copies of three contracts with C3, it has refused to provide any of its 141 email exchanges, citing numerous reasons. Because I find it impossible to believe that all 141 emails are privileged, I have sought an in camera inspection. This requires the County to disclose copies of the contested information to the OOR for their own review. These documents are maintained in a secured file, with access limited to the Appeals Officer, Executive Director and lawyers who work for the OOR.
On Monday, the OOR ordered the County to provide it with copies of all emails on or before December 15. But the County is dragging its feet. In addition to all the exemptions it raised before, it is now arguing that disclosure to a judicial body of state government could very well be a violation of The Health Insurance Portability and Accountability Act, commonly known as HIPAA.
Though I have made clear repeatedly that I have no interest in specific individuals or claims, and am interested only in the more generalized discussions, the County claims that it exchanged "four (4) substantial excel" spreadsheets with C3 that "contain specific plan participant names and information about what benefit plans they participate in, and in some instances further identify their partipating [sic] family dependents' names and dollar-amounts of usage, social security numbers, etc., which is information relevant to obtaining quotes on certain insurance coverage."
Attorney Dan O'Donnell, Northampton County's very capable Right-to-Know Officer, is right to be concerned. In fact, I have made clear again that I have no interest in these matters, which do strike me as sensitive information.
Here's my question: If the County is so worried about violating HIPAA by disclosing sensitive documents to a judicial state agency that keeps information secure and limits access, why was it so willing to share this sensitive information with C3?
Though C3 has a confidentiality clause in its contracts, in which it promises to handle information provided by the County in the same way that it handles its own information, that's no guarantee of privacy. The Privacy rule in HIPAA requires that employees be notified precisely how the County may use and disclose protected health information about individual, as well as their rights and the County’s obligations with respect to that information.
I doubt very much that any County employee was informed that John Brown intended to disclose their private medical information along with their social security numbers, to a cost control consultant. Though there is a procedure for filing a complaint for this apparent violation, the only ones who will suffer from any fine are the employees and taxpayers.
This is just another illustration why government by consultant is so bad.
