U of L physicians' group drops open-records appeal, but C-J may still not get records

An organization representing University of Louisville doctors who were trying to keep their financial records private dropped its lawsuit appealing an adverse open-records decision Tuesday. In April, Attorney General Jack Conway ruled that University of Louisville Physicians Inc. is a public agency and, as such, is subject to the Kentucky Open Records Act. Conway's opinion was requested by The Courier-Journal.



Last November, state auditor Crit Luallen released a scathing audit against Passport, which provides managed care for 165,000 Medicaid patients in Jefferson and 15 surrounding counties. The audit accused the organization of "wasteful spending, conflicts of interest and the questionable transfer of $30 million in Medicaid funds to organizations represented on Passport's board, including University Physician Associates," The Courier-Journal's Tom Loftus reports. Because of the audit, the newspaper asked for financial records from University Physicians Associates and University of Louisville Physicians Inc., which is the successor to University Physicians Associates. They refused to hand over the records, and Conway's decision followed.



Though the attorney general determined the organization should be subject to the open-records law, and the doctors' lawsuit has been dismissed, giving Conway's opinion the force of law, The Courier-Journal may not receive the records it has asked for. In its notice of dismissal, University of Louisville Physicians stated it could change "its structure and function in the future which it believes may alter its status as a public agency."



"We are still forming our final structure and function," Diane Patridge, ULP's vice president for marketing and communications, told Loftus. "Once we're up and fully established we may appeal this current determination." Curiously, "Partridge also said that ULP has no records to release to the newspaper as a result of the dismissal of the case," because it has no employees -- even though it was incorporated in March 2010. "She said University Physicians Associates . . . has handled all financial matters and paperwork for ULP to date," Loftus reports.



“This case is another piece of a puzzle,” Courier-Journal attorney Jon Fleischaker said. “It’s another step to try to make sure there’s more transparency at the University of Louisville School of Medicine and University Medical Center.” (Read more) "Sounds like a shell game with shell corporations," said Al Cross, director of the Institute for Rural Journalism and Community Issues and associate extension professor of journalism at the University of Kentucky.

Data leaks are a risk with electronic health records; state says it has safeguards to protect privacy

As hospitals and other health-care providers in Kentucky and across the country are adopting electronic health records to save money and improve care, they do so at some risk. The medical files containing insurance forms, Social Security numbers and doctors' notes of about 300,000 Californians were posted recently on the Internet, available to anyone who might stumble across them or know how to search for them. "At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American's sensitive medical information will be digitized," The Associated Press reports.

"When things go wrong, they can really go wrong," said Beth Givens, director of Privacy Rights Clearinghouse, a nonprofit that tracks data breaches. "Even the most well-designed systems are not safe ... This case is a good example of how the human element is the weakest link."

Generally, data breaches are the result of hackers who break into computers or thieves who steal the actual equipment. Sometimes they can just be be caused by human error. Leaks can also happen as data passes through health industry networks. "Dozens of companies can be authorized to handle a single person's medical records," the AP reports. "The further away from the health care provider the records get, the flimsier the enforcement mechanisms for ensuring the data are protected."

One of the biggest breaches was in 2006 when a laptop containing data for 26.5 million veterans was stolen from the home of a government employee. The computer was recovered. This year, hard drives containing personal information of 1.9 million Health Net insurance customers were taken. They contained health histories, financial information and Social Security numbers. The matter is still under investigation.

In the wrong hands, "health records can be used for blackmail and public humiliation," AP notes. "The information can also be used by insurance companies to inflate rates, or by employers to deny job applicants."

Preventing data leaks is on the minds of Kentucky officials setting up the Kentucky Health Information Exchange, the state clearinghouse for EHRs. Participating providers have to sign several agreements in which they attest the information they obtain will be used responsibly. "The golden rule is this data will only be viewed by a provider who is providing care to a patient," said Jeff Brady, executive director of the Governor's Office of Electronic Health Information. To make sure that is happening, Brady said the software has an audit function, in which administrators are able to see who looks at a patient's data, when they did, from what computer and what piece of data was examined. (Read more)