University of California-Davis Medical Center Survey Discloses Patient Information
Private medical information for about 200 patients at the University of California-Davis Medical Center was disclosed last weekend after answers to an online survey were revealed to other respondents, the Sacramento Bee reports. Some medical privacy experts said the disclosure "violated the spirit, if not the letter, of state and federal patient privacy laws," the Bee reports.
The survey asked patients who use the Internet to make appointments, refill prescriptions and contact physicians to provide their zip codes, e-mail addresses, age and gender. The survey also asked patients how many prescriptions they fill and whether they had a chronic medical condition.
The survey inadvertently included a link to a page showing complete survey results from other patients, the Bee reports. UC-Davis on Wednesday e-mailed patients to explain what happened and apologize.
Federal law requires hospitals, health insurers and companies that process medical records to protect patient privacy in all electronic transactions involving patients' medical information. However, the federal Health Insurance Portability and Accountability Act does not directly apply to all subcontractors a hospital might use, and the law might not apply to survey responses, the Bee reports.
Joanne McNabb, head of the Office of Privacy Protection, said the state Confidentiality of Medical Information Act also might apply to the case.
Burt Cohen, who oversees compliance with federal privacy laws for the state, said, "As far as did anybody break any laws, it looks to me like a little bit of a gray area because of all the contractors involved."
Rory Jaffe, who oversees patient privacy at UC-Davis, said the incident was a "breach, but not a direct violation" of the law. He said that the medical center did not conduct the survey and that the questionnaire was not conducted by a direct business contractor of UC-Davis, the Bee reports.
RelayHealth, which helps UC physicians use the Internet to communicate with patients, hired a subcontractor to post its questions on a Web site that hosts online surveys. Some 600 patients in California completed the survey between Friday night and early Sunday morning, when RelayHealth discovered the problem and removed the survey. RelayHealth has stopped using the unidentified vendor hired to conduct the survey.
Jaffe said the hospital will revise its contract with RelayHealth and require that hospital executives approve future surveys in advance, the Bee reports (Rapaport, Sacramento Bee, 12/10).