When University of Utah health law professor Leslie Francis learned her name and Social Security number had been exposed in the state's Medicaid breach, she decided to do what any scholar might do investigate.
She deduced that, like the majority of breach victims, her information was sent to the Utah Department of Health by a provider inquiring whether she was covered by Medicaid.
That was a surprise, because she is insured through her employer and none of her providers had declared in privacy notices that they may bill Medicaid. What's more, when she asked the hospital she believes is at fault to fess up citing the Health Insurance Portability and Accountability Act (HIPAA) the hospital refused, citing the same law.
"I can't confirm that it was [Salt Lake Regional Medical Center]. But by process of elimination, it looks like the only candidate," she said, explaining she went to the hospital six months before the breach for a routine mammogram.
The hospital is owned by IASIS Healthcare, which has been tied to a disproportionate share of breached records.
Francis said IASIS may be within its legal rights to refuse to say when it shared her information and with whom, at least for now. Reporting rules are expected to tighten when officials write regulations to enforce another federal law, the Health Information Technology for Economic and Clinical Health Act.
But she argues the company's privacy notice violates HIPAA because it doesn't contain "sufficient detail" about its handling of patient data. It may even be misleading enough to constitute unfair trade practice, said Francis.
She is filing complaints with the Health and Human Services' Office of Civil Rights and the Federal Trade Commission, which could subject IASIS to federal fines.
No matter what the feds decide, the Utah Hospital Association is crafting a "clearer, bolder" uniform privacy notice for use by the state's hospitals and clinics, said the association's CEO and President Rod Betit. Lawmakers, too, are exploring legislative remedies.
A professor and former chairwoman of Utah's Health Data Committee, Francis is doubly insured through her plan and her husband's plan, which means she doesn't even have to pay co-payments.
As a professional attuned to security and privacy threats posed by the "tsunami of enthusiasm" for health data, she is happy to see rising public awareness.
"I'm a specialist on these kinds of things, somebody in a privileged position insurance-wise with the knowledge to protect myself," she said.
But many of the people involved in the breach were uninsured, retirees on Medicare or low-income kids on Medicaid. "Think of all the children whose parents may not know how to protect their kids," Francis said.
Utah's largest nonprofit hospital chains, Intermountain Healthcare and University of Utah Health Sciences, have insisted they don't "ping" Utah's Medicaid Eligibility system routinely, or with all patients. They say they do it for patients who are uninsured, those who claim to be on Medicaid and those with past-due medical bills.
IASIS officials have repeatedly declined requests to explain their policy.
"Salt Lake Regional Medical Center takes privacy and confidentiality extremely seriously, and will work with individuals to resolve any issues," said IASIS western division president Ed Lamb in a prepared statement on Thursday.
But in a May 21 letter to Francis, Salt Lake Regional compliance and privacy officer Klay Kunz described it this way: "It is the hospital's practice to verify if certain patients , who may have private insurance, would also be eligible for supplemental coverage through the state Medicaid program. There are a significant number of Utah residents who are covered by Medicaid who are not aware they have this coverage."
The practice is comparable to hospitals across the country, Kunz added.
Francis questions whether the practice, if it is indeed commonplace, exposes patients to undo risk.
"There was absolutely no reason for Salt Lake Regional to worry about getting paid. They billed promptly, and were paid promptly," she said. "Regardless, if they routinely make inquiries, their privacy notice should say they routinely make inquiries. It's something that might make a difference to me in selecting a provider."
HIPAA permits hospitals to share patient information for treatment, billing and operational purposes. But they have to explain how this happens with "sufficient detail."
Salt Lake Regional's notice says: "Your physician may share information about your condition with the pharmacist to discuss appropriate medications, or with radiologists or other consultants in order to make a diagnosis. The hospital may use your medical information as required by your insurer or HMO to obtain payment for your treatment and hospital visit. We also may use and disclose your medical information to improve the quality of care (e.g., for review and training purposes)."
There is no mention of other insurers, such as Medicaid.
What's "most disturbing," said Francis, is IASIS' refusal to own up to its use of her data information her dentist and primary care doctor readily provided.
Data is useful for improving care and curbing health costs, but the more data that changes hands, the greater the chances are that it will be misused, she said.
"IASIS says they're doing this out of consumers' interests. They could also be doing it out of their interests, trying to find any possible source of payment," said Francis. "But folks ought to know that up front. Otherwise you have no way to protect yourself."
A look at the Utah breach
R What happened • Hackers traced to Eastern Europe broke into a poorly protected state Medicaid server and stole the personal information of 780,000 Utahns.
What's next • The FBI is investigating the crime, and federal health officials are investigating to see if penalties are warranted.
O One victim's saga • Learn more about the steps University of Utah law professor Leslie Francis took to protect herself and her information at http://bit.ly/Kvg5CW.
Was your info hacked?
If you've been to a Utah health provider in the past four months, or possibly the past year, your personal information may have been exposed. To find out, call 1-855-238-3339.