In an ongoing legal battle over confidential patient data, a state judge refused to grant Kaiser Permanente access to the personal computers and email account of a couple the healthcare giant hired to store nearly 300,000 hospital files.
The ruling Thursday by Riverside County Superior Court Judge Harold Hopp marked a victory for Stephan and Liza Dean, who ran a small document-storage firm in Indio called Sure File Filing Systems. The decision came in a lawsuit Kaiser is pursuing against the Deans over their handling of patient information.
Kaiser’s actions in this matter have drawn scrutiny from state and federal investigators over potential violations of medical privacy. Last month, the California Department of Public Health found that Kaiser had “failed to safeguard all patients’ medical records” at Moreno Valley Community Hospital by giving files to the Deans for about seven months without a contract.
A company spokesman said “in making its ruling the court found that Kaiser Permanente was likely to prevail on the merits of its ultimate claims against the Deans” and it will continue to pursue access to the Deans’ computers unless they “can provide absolute and verifiable assurances that they have returned or destroyed all protected information.” Kaiser added that it continues to work with state regulators on a plan to address this matter and prevent any similar incident in the future.
Kaiser, the nation’s largest nonprofit insurer and hospital system, hired the Deans to store thousands of patient records from two of its Southern California hospitals — Moreno Valley and West Los Angeles Medical Center — from 2008 to 2010. The Deans kept them at a warehouse in Indio that they shared with another person’s party rental business. Kaiser picked up those paper records in 2010.
At issue in court has been the return or destruction of patient data left behind on the Deans’ three home computers and in their Hotmail account. The Deans said they had more than 600 unencrypted emails from Kaiser and other computer files containing details on thousands of patients.
In October, Kaiser sued the Deans, accusing them of violating their contract by not returning all of its patient information as required when Kaiser picked up the paper records. On Dec. 31, the Deans said, they deleted all of the computer information they had related to Kaiser patients.
At a hearing Thursday in Indio, Kaiser sought a preliminary injunction that would have ordered the Deans to allow a forensic consultant access to their computers and email account.
Hopp denied that request and granted a narrower preliminary injunction against the Deans, barring them from retaining and disclosing any confidential patient information.
The Deans said they were pleased with the judge’s decision because they felt Kaiser’s request for computer access was an invasion of privacy. “They created this mess and now they want to look through our underwear drawer just because they’re Kaiser,” Liza Dean said.
Federal and state laws impose strict standards on anyone handling patient information. Federal privacy rules ban the unauthorized disclosure of medical records and require healthcare providers and vendors to protect the information.
Stephan Dean said he’s willing to allow a forensic inspection to ensure no one hacked into patient information if Kaiser pays him. The company said it has already fully compensated the Deans, paying them about $500,000 in all.