A federal agency is investigating whether the company Idaho hired to manage part of its Medicaid program has violated patient-privacy laws.
Optum Idaho, a unit of United Behavioral Health, took over insurance management for Idaho Medicaid's mental-health and substance-abuse patients last fall.
Local health-care providers who treat those patients say Optum has erroneously sent them reports meant for other providers. The reports show patient names and mental-health or substance-abuse services the patients received or were authorized by Optum to receive.
Emails obtained by the Idaho Statesman through a request under the Idaho Public Records Act show that providers have complained to Optum Idaho, the Idaho Department of Health and Welfare, the Idaho attorney general and the U.S. Department of Health and Human Services since October 2013 and as recently as last month.
“We have received multiple authorizations for clients that are not ours (were never ours),” a provider, whose identity was redacted by the Department of Health and Welfare, wrote in January.
Optum says the violations amount to about one-hundredth of 1 percent of the 1.3 million claims it has processed so far in Idaho, and that none has resulted in disclosure of patient information outside the network of providers, who also are prohibited by law from disclosing it.
Idaho contracts with local mental-health and substance-abuse treatment businesses to provide counseling, psychiatric care and other services to its Medicaid patients. Idaho hired Optum last fall to better manage the program’s rising costs.
The patient-information errors are the latest in a series of actions by Optum that have angered some mental-health providers who must now have their services and payments approved by Optum. Some providers say Optum has created red tape and cut services needed by at-risk patients. Some say Optum hasn’t paid them promptly, putting their businesses’ survival, employees’ jobs and patients’ ongoing care at risk.
Providers said in complaints and interviews that, while they can destroy misdirected information on a document they can hold in their hands, they can only view much of Optum’s misdirected information online and lack the access to destroy it.
One provider’s owner called Idaho Health and Welfare in October reporting that “one of his competitors [said] they received five pages of patients' information and a sizable check from Optum,” according to an internal departmental email from October.
Health and Welfare said in July that it had received six complaints related to the Health Insurance Portability and Accountability Act — the federal law, more often known as HIPAA, that governs privacy for patient information. The department's privacy officer reviewed the complaints and decided they weren't “reportable” breaches of the privacy law.
State: Disclosures inadvertent
Department spokesman Tom Shanahan said the disclosures fall under an exemption for “inadvertent disclosure of protected health information” by someone who's authorized to access that information to another person who's authorized to access it, “or [an] organized health care arrangement in which the covered entity participates.”
But the U.S. Department of Health and Human Services’ Office for Civil Rights — the agency tasked with enforcing the HIPAA law — is investigating the complaints Idaho providers lodged against Optum.
“The subject matter of your request is the subject of an open and ongoing investigation,” the department said this month in a letter responding to a Statesman request under the federal Freedom of Information Act.
Releasing the documents “could seriously compromise the integrity of that particular investigation, and ... such a release, in general, would damage the procedural integrity of the investigative process,” the letter said.
You can read all of the documents obtained by the Idaho Statesman here.
One provider’s experience
Dozens of the complaints under review are from two Boise providers, Idaho Behavioral Health and Access Behavioral Health.
Chris Culp, chief operations officer for Idaho Behavioral Health, said his company has filed 25 federal complaints about receiving patient information for people who aren't its clients.
Optum asked Idaho Behavioral Health to file a formal complaint with Optum, he said.
“And what typically happens is I'll send an email, I'll provide the information — exactly what happened — and then I will get a form letter back within 10 days that says ‘I've received your complaint and we will do our investigation and we will let you know what the results of that are,’” Culp said.
But Culp said he's received no follow-up letters from Optum about the results or what the company is doing to correct any problems with privacy protection.
“And if that's the organization that's in charge of our health care here in Idaho, that's kind of concerning to me,” he said.
A second provider’s experience
Access Behavioral Health, an outpatient clinic in Boise, has filed 11 complaints to the Office for Civil Rights.
Matthew Montoya, the clinic’s billing specialist, described incidents similar to those reported by Idaho Behavioral Health. Montoya would receive paperwork meant for other providers, with enough detail to easily decipher what kind of behavioral-health treatment that provider’s patient was receiving.
Optum responded to a March complaint by Access Behavioral Health with a two-page letter that detailed an “Improvement Action Plan” that Optum had taken in response.
Optum wrote that its response included conducting an audit and giving three people “refresher training and post-training job shadowing to assure compliance with retraining.” The company told Access it also planned to do “ongoing coaching on all identified errors assessed via random audit” and continue to make sure all shared information is “appropriately mitigated,” among other things.
“It just really didn’t solve anything,” Montoya said.
Optum: We fixed the problem
Optum Idaho Executive Director Becky diVittorio said her company has confirmed 134 instances of information being incorrectly sent to providers.
“We investigate all privacy concerns that are reported to us,” she told the Statesman. “We do not believe that the incidents that we have investigated resulted in breaches pursuant to HIPAA, as there was low risk that the information at issue was compromised. Providers also [must comply with] HIPAA rules and regulations ... related to safeguarding patient information.”
DiVittorio said that, because Optum’s internal investigation found no breaches, it has not notified Medicaid members.
“Consumer information was not compromised outside of the health system,” she said.
In April and May, Access Behavioral Health sent new complaints to Optum officials, saying Access was still getting information about patients who weren’t under its care.
“This goes back to the integrity of their data,” Montoya said.
DiVittorio disputed that, saying Optum takes “the protection of members’ data very seriously, and we have stringent policies in place.”
She said the company has put in additional safeguards, such as training, to prevent future errors.
sensitive information
Tami Jones, CEO of Idaho Behavioral Health, said psychological treatment information is more sensitive even than medical records, so it should be more closely protected by Optum.
“It's your insurance company who's now sending your name, your diagnosis code, and the services that you received – all that information – off to somebody that you've never given permission to provide services for you,” Jones said.
Investigations not common
An investigation does not mean there has been a violation of HIPAA law. The Office for Civil Rights complaint process starts with a review that can lead to one of three things: investigation into possible criminal violation, investigation into possible privacy or security rule violation, or no investigation, if the complaint clearly doesn't meet the legal requirements to be a violation.
Most complaints do not prompt an investigation, according to Office for Civil Rights statistics.
The office received almost 13,000 complaints last year, and about 9,830 of them never made it past the initial screening, because they weren’t eligible for investigation and enforcement.
On average, for roughly one-third of the complaints that do require an investigation, the office finds no violation. The other two-thirds result in enforcement, with a hospital or health-care plan making a change to its privacy practices, for example.
It is “not extremely common” for the Office for Civil Rights to open an investigation into HIPAA complaints, said Kim Stanger, an attorney for Holland and Hart in Boise who specializes in health-care law including HIPAA but is not working in any capacity on the Optum Idaho complaint issue.
“I personally don't think it's something that would keep me up at night, if it's going to a provider and that provider is going to destroy it,” Stanger said, adding that as more health-care transactions and records go online, misdirected information is “a real risk.”
This story is a collaborative reporting effort by Boise State Public Radio and the Idaho Statesman.
Find reporters Emilie Ritter Saunders and Audrey Dutton on Twitter @emiliersaunders, @IDS_audrey