Add one more victim to the casualty list of the federal government's zealous Medicare fraud investigations: patient confidentiality.
A 161-page legal brief submitted Aug. 21 in Kansas City, Kan., by the assistant U.S. attorney for Kansas contains deep within it two laboratory billing records. Nine billing printouts contain the names of 274 patients. The printouts show the tests performed on each patient, the dates of the tests and the charges. The tests were done by Rockhill Medical Laboratory in Kansas City, Mo.
When asked about the records, the U.S. attorney for Kansas, Jackie Williams, said, "Any documents we attached had previously been made public." The prosecutor declined further comment.
The names of the patients and their respective procedures are now part of the public record in what has become known as the Blue Valley Medical Group case, a massive prosecution of two doctors, three hospital executives and two lawyers who've been charged with conspiring to defraud Medicare by paying for patient referrals (July 20, p. 2; July 27, p. 14; Sept. 7, p. 8).
Two of the five hospitals alleged to be involved in the kickback scheme have settled with the government for a total of $18.7 million. That includes a $17.5 million fine paid by Baptist Medical Center in Kansas City, Mo., which is at the center of the probe. Three other hospitals may still be under investigation.
Patient privacy experts said they were astounded that private information about patients was made public as part of a legal motion by Assistant U.S. Attorney Tanya Treadway, who is prosecuting the case. They said the situation underlines the need for vigilance, not only among providers but also among lawyers and investigators.
"I saw (the billing information) and almost had a heart attack," said Kathleen Frawley, vice president of the Chicago-based American Health Information Management Association.
"It's a pretty horrifying thing to come across, but why am I not surprised?" said Denise Nagel, M.D., executive director of the National Coalition for Patient Rights. "What was done here was really sloppy. There is no reason why these names could not have been deleted."
"Somebody was asleep at the switch," said Claire Obade, a lawyer in Philadelphia who specializes in provider responsibilities to patients. "This information shouldn't go into the public file. The U.S. attorney should not have done what she did. It's clearly a very weighty matter."
Paul Schyve, M.D., senior vice president of the Joint Commission on Accreditation of Healthcare Organizations, said JCAHO standards obligate healthcare organizations to protect patients' confidentiality. "For a hospital, for an accredited laboratory, to simply release information that had the patient's name . . .would be a breach of confidentiality."
Nagel, a psychiatrist, said some information on the sheets could affect the person's ability to get health insurance or even his or her employment.
One female patient, for example, had her lithium levels checked. The drug is commonly prescribed for bipolar disorder.
A series of tests for urinary tract infections would be unremarkable in a woman, but for a man-such as a male patient identified in the court records-that would be "very unusual," said Nagel. "It can mean something about their personal conduct."
Nagel, Frawley and Schyve could not point to any specific confidentiality law that had been broken by making this information public.
"While Congress is considering potential bills to protect medical privacy, most of those bills would allow this kind of thing to go on," Nagel said. "(The bills) allow carte blanche to fraud-and-abuse investigations and law enforcement. At the moment, sadly, Congress does not appear to be moving in that direction."
The subcommittee on privacy and confidentiality of the National Committee on Vital and Health Statistics, an external advisory committee to HHS, has been worrying for years about lax privacy standards in fraud and abuse investigations. Under the rubric of law enforcement, virtually anything goes, Frawley said.
The Health Insurance Portability and Accountability Act, passed in 1996, requires the government to develop patient confidentiality standards. If Congress doesn't pass a law by August 1999, regulations developed by the secretary of HHS will go into effect.
Observers say that with all the new funds Congress earmarked for fraud and abuse, enforcement personnel probably haven't been trained in the subtleties of patient privacy.